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The Fuzz: 
To Serve 
And Protect 

Metasploit's browser 
bug hunt shows future 
of software testing 

BY P.J. CONNOLLY 

"Fuzzing" — or "fuzz testing" — 
is the practice of testing soft- 
ware by throwing random data 
at it. From a software security 
perspective, the goal is fault 
identification, whether the 
result is a buffer overflow, ser- 
vice denial, string injection or 
another problem. 

Armed with a variety of 
so-called "fuzzers," H.D. 
Moore's Metasploit Project 
(www.metasploit.com) may have 
shown developers and testers that 
automated bug-hunting tools are 
the best way available to harden 
their code. Although Moore 
intended the recent "Month of 
Browser Bugs" to publicize what 
he characterized as the dangers of 
inadequate client-side browser 
security, one industry analyst finds 
it a needed wake-up call for devel- 
opers of every stripe. 

Moore, a co-founder of the 
Digital Defense risk assessment 
shop and the Open Source Vul- 
nerability Project, and director of 
security research for Breaking- 
Point Systems, began July's so- 
called MoBB as a way to promote 
his blog, "Browser Fun" (browser 
fun.blogspot.com), which he 
dedicated to the topic of Web 
browser security research and 
vulnerability disclosure. After 
► continued on page 8 



Mercury Acquisition Leaves 

QA Tools in Limbo 




CEO Mark Hurd wants to make 
software a 'crown jewel' of HP. 



BY ALEX HANDY 

When Hewlett-Packard an- 
nounced late last month that it 
would be acquiring software tools 
vendor Mercury Interactive, the 
US$4.5 billion price tag seemed 
to indicate a large investment 
into the IT management and gov- 
ernance space by the company 
Fortune magazine ranked as 
the 11th largest in the world. 
Indeed, HP made it clear that its 
OpenView products will benefit 
from the additional capabilities 
brought to the company by Mer- 



cury's diverse product line, but 
little was said about Mercury's 
10,000-plus quality assurance 
customers. 

Mark Hurd, CEO of HP, in a 
conference call on the day the 
acquisition was announced, said, 
"We think this is a big opportuni- 
ty for us and a big opportunity to 
make software truly a crown jew- 
el of HP." Even HP's competitor, 
CA, agrees that the acquisition 
makes sense, but that doesn't 
mean industry analysts expect 
► continued on page 12 



Xen and the Art of Visualization 

Microsoft joins industry heavyweights in backing project 

BY ALEX HANDY 

The Xen virtualization platform 
is fast gaining industry support, 
thanks to the contributions of 
companies such as HP, IBM, 
Novell, Sun and even Microsoft. 
During the month of July, IBM 
and HP both announced the 
introduction of support offerings 
for Xen running under SUSE, 
and Microsoft announced that it 
would begin working with Xen 
Source, the enterprise software 
company based on Xen, to foster 
better compatibility for the virtu- 
alization platform. 

At the core of the HP and IBM 
announcements was the release of 
SUSE Linux 10. Novell's latest 
iteration of its Linux-based oper- 
ating system now includes Xen as 




a standard part of both server and 
desktop installations. Since both 
HP and IBM are offering service 
and support contracts for their 
systems that run SUSE, both 
companies are also offering sup- 



port for Xen. Interestingly, Micro- 
soft will also be offering support 
for the tool when it releases Win- 
dows Server Longhorn. 

But that doesn't mean that all 
► continued on page 19 



SOA ADOPTION 
BRISK, VARIES 
BY INDUSTRY 

BY EDWARD J. C0RREIA 

For most companies, the adoption 
of a service-oriented architecture 
is not a matter of if, but when. 
"SOA's rush into early adoption 
is remarkable," concluded Aber- 
deen Group, which published a 
study in June showing that 90 per- 
cent of companies around the 
world will have some SOA experi- 
ence by the end of this year. 

But take that with a grain of 
salt. The report, titled "Enter- 
prise Service Bus and SOA Mid- 
dleware," was paid for by Fiora- 
no, IBM and TIBCO, all of 
which have dogs in the SOA 
hunt. Other studies, including 
Evans Data's Spring 2006 Web 
Services Development Survey, 
show more modest adoption 
rates but with a sharp increase in 
recent months. A Gartner report 
published in November indicates 
that adoption varies significantly 
by industry. 

Of the nearly 400 U.S.-based 
developers and managers polled 
by Evans Data this spring, about 
one in four said they currently 
implement an SOA, an 85 per- 
cent increase from last year's sur- 
vey. Aberdeen's was a global poll; 
about half of respondents were 
from the United States and a 
quarter from Europe. 

Regardless of whose numbers 
paint a more lifelike picture, 
most would agree that SOA stan- 
dards and technologies — SOAP, 
XML, UDDI, WS-* and oth- 
ers — have not only proven wor- 
► continued on page 13 
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At Sun, Two CTOs Are Better Than One 

First job is to get a handle on what company is doing; life-cycle tools a possibility 



BY ALEX HANDY 

Sun Microsystems' two CTOs 
have only been on the job since 
the summer began, but they 
already have a cohesive vision 
and goal: to tear down the silos. 
Tim Marsland and Bob Brewin 
share the position, and they 
both fully acknowledge that 
Sun's largest weakness is its 
scattered approach to business 
and development. 

"We have to get a better idea, 
though this is embarrassing to 
admit, of exactly what we're 
doing," said Marsland, who was 
CTO of the Solaris product line 
before taking on the manage- 
ment of all Sun's systems soft- 
ware. "For the last several years 
we haven't really known what 
we're doing globally. We really 
want to be able to get a clearer 
idea on what our actual invest- 
ment portfolio looks like and 




Sun's two CTOs, Bob Brewin (left) and Tim Marsland, share the task of 
pointing the companies' products in the right direction. 



where we're taking it." That, 
said Marsland, means looking 
over the current crop of soft- 
ware and systems offerings at 
Sun, and choosing projects that 
bring the best return on devel- 
opment investment. 



Currently, both Marsland 
and Brewin feel that Solaris 
and NetBeans are the top 
horses in the race, though 
other possible areas of investi- 
gation include life-cycle man- 
agement and server-based 



video-on-demand solutions. 

To coordinate the company's 
efforts better, Marsland and 
Brewin have divided up their 
duties. Said Marsland: "I'm 
more responsible for the sys- 
tems-level software: the operat- 
ing system. Bob is more focused 
on the application platform. 
There is some deliberate over- 
lap. Obviously the idea of split- 
ting the job up comes from the 
fact that it's such a big job. So 
far it's working out really well." 

Brewin, who was formerly a 
distinguished engineer in Sun's 
developer tools organization, 
said that the many departments 
inside Sun have not traditional- 
ly worked together to integrate 
their products to the extent that 
other companies have. After 
only three weeks on the job, 
Brewin said that his goal was to 
foster increased communica- 



GPL 3.0 Revision Offers Patent Protection 

New clause written by FSF offers covenant for users, developers 



BY ALEX HANDY 

A July revision of the controver- 
sial Free Software Foundation's 
GNU General Public License 
3.0 draft adds a covenant to 
protect users of patented GPL 
software from legal action. 

The prior draft of the license 
had drawn ire because of its 
unclear language in regard to 
patented GPL software. 

Eben Moglen, general coun- 
sel of the FSF and co-author of 
the license, said, "We've spent a 
lot of time listening to a lot of 
people. We've done a good deal 
of redrafting and responding to 
ideas developed in the course 
of the spring." 

Moglen included, with the 
second draft, an audio record- 
ing in which he explains the 
reasoning behind some of the 
changes in this draft. Among 
those reasons, he cited the 
expansion of digital rights man- 
agement and the danger of 
GPL software being used as 
bait for patent lawsuits as two of 
the primary concerns addressed 
in this new draft. 

"You certainly wouldn't want 
someone suing a user of free 
software for patent infringe- 
ment. We want to make sure 
that nobody turns a patent or a 
patent license into a way of 
making a program that is free in 



appearance un-free in reality," 
said Moglen in an interview 
with SD Times. 

The newly added patent 
covenant appears in the com- 
pletely revised section 11 of the 
second GPL 3.0 draft. In this 
section, the GPL reads, "You 
receive the Program with a 
covenant from each author and 
conveyor of the Program, and 
of any material, conveyed 
under this License, on which 
the Program is based, that the 
covenanting party will not 
assert (or cause others to assert) 
any of the party's essential 
patent claims in the material 
that the party conveyed, against 
you, arising from your exercise 
of rights under this License." 

Essentially, said Moglen, 
this new paragraph means that 
the rights granted in the GPL 
cannot be suspended by a soft- 
ware patent. But, Moglen 
added, this does not mean that 
software licensed under the 
GPL cannot be patented: If 
a developer patents software 
that's licensed under GPL 3.0, 
the developer cannot then 
mandate that end users have a 
patent license in order to modi- 
fy said program. 

The revised patent section 
closes out with a newly added 
clarification that ensures soft- 



ware patents and copyright 
privileges that do not infringe 
upon the GPL's protections are 
fair game. "Nothing in this 
License shall be construed as 
excluding or limiting any 
implied license or other defens- 
es to infringement that may 
otherwise be available to you 
under applicable patent law." 

But the softened and clarified 
take on patents doesn't mean 
that the Free Software Founda- 
tion thinks that software patents 
are a good idea. "The FSF is a 
very realistic foundation. Mr. 
Stallman and his colleagues have 
always been clear that there's 
only so much you can do [about 



patents in the GPL]. The patent 
problem hurts everybody be- 
cause it's a bad way to think 
about software, to think of it as 
patentable," said Moglen. Rich- 
ard Stallman is the founder and 
chairman of the FSF. 

Other revisions to the GPL 
3.0 include a mandate that 
requires that all additional 
licensing information added to 
software licensed under the 
GPL be included in the source 
code. The new draft also 
broadened the definition of 
what it means to make source 
code publicly available to 
include sharing over peer-to- 
peer networks. I 



tion and coordination among 
Sun's many internal developers 
and designers. 

One way he hopes to accom- 
plish this is by focusing more on 
the entire life cycle of software 
development, and to offer a 
cohesive management stack for 
developers working from start 
to finish. Brewin added that he 
will consider any possible soft- 
ware that could help fill in the 
gaps of Sun's life-cycle plays. 

HEAVY LOSSES 

But despite the candor of both 
Marsland and Brewin, Sun's 
beleaguered software business 
has yet to turn the corner. 
While the company's director of 
systems software marketing, 
Chris Rattcliffe, said that the 
company has been successfully 
selling its software as service 
and support contracts for more 
than a year now, Sun still took a 
heavy loss in Q4. 

In late July, Sun announced 
that it took a US$301 million 
loss for the fourth quarter of its 
2006 financial year. On the 
bright side, the company saw its 
revenues increase by almost 
$900 million over Q4 2005, but 
this included sales and licensing 
agreements of SeeBeyond, the 
$200 million storage technology 
company Sun acquired two days 
before the end of the quarter. 

But for now, the two men 
have their work cut out for 
them. Brewin is working with 
the team bringing Java into the 
open-source community, but 
declined to impart any new 
information on the process, 
preferring to repeat CEO 
Jonathan Schwartz's JavaOne 
statement: "It's not when we 
open-source Java, but how." I 



3D DESKTOP 

Novell last month began shipping SUSE Linux 
Enterprise 10, which includes updated ver- 
sions of its SUSE Linux Enterprise Server and 
Enterprise Desktop distributions. The desktop 
edition includes an Xgl-based GUI with tiling 
and 3D effects, pictured, and integrated ver- 
sions of 0pen0ffice.org 2.0 and Beagle 
search. New in the server edition is AppArmor 
application-level security, Xen virtualization, 
ZENworks management and new storage com- 
ponents that Novell says let the server run 
Oracle's Real Application Clusters straight 
out of the box. Pricing for version 10 has been 
reduced and simplified from prior editions. 
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Scaling Agile Practices for the Enterprise 



Project management solutions deal with requirements, tool integrations 



BY DAVID RUBINSTEIN 

One of the issues that has held 
back adoption of agile devel- 
opment methodologies in 
large organizations, advocates 
acknowledge, is scalability. Two 
well-known vendors of agile 
project management software 
released products in late July to 
deal with the issue. 

Rally Software released Ral- 
ly Enterprise, life-cycle man- 
agement software that features 
Agile Accelerators that offer 
prescriptive services to organi- 
zations regarding methods and 
tools. It also introduces trace- 
ability and versioning around 
requirements management. 

Also last month, VersionOne 
released VI: Agile API, which 
lets customers tie into such life- 
cycle tools as bug trackers, IDEs 
and requirements management 
tools. "The API extends the nat- 
ural progression from tool to 
product to platform," said Ver- 
sionOne president and CEO 
Robert Holler. The API also 
extends VI: Agile Enterprise, a 
life-cycle management product 
released in April that is being 
updated with the ability to noti- 
fy team members about require- 
ments, features or tasks via RSS. 

EXPOSED AS AN API 

Holler explained that prior to the 
release of the Agile API, connec- 
tions to life-cycle tools could be 
made manually, but now, he said, 
all the reads and writes are 
exposed as a Web service API. 

Rally's Enterprise platform 
also offers portfolio management 
metrics through reporting and 
executive dashboards, which 
give the status of a life-cycle 
process, according to Mike Met- 
calf, Rally's vice president of 
marketing. 

"Some teams have to justify 
their existence and need levels 
of metrics and reporting," said 
Ryan Martens, Rally's founder 
and CTO. "They need to show 
they're making progress on 
quality, efficiency and customer 
satisfaction, and these aren't 
even agile shops." 

Martens also noted that in 
many enterprises, regulatory 
compliance is an issue that must 
be faced "without forcing them 
into a model that scales through 
longer planning cycles, upfront 
waste, and less emphasis on get- 
ting out quality software." 

Metcalf said a feature of note 



is that the platform is available 
as an on-demand service or with 
an on-premises installation. 

Rally's service model deliv- 
ers the project management 



software as a VMware image, 
with charts and burndowns giv- 
en in a rich-client, AJAX-like 
interface, Martens said. 

The Agile Accelerators pro- 



vide what Rally calls "maturity 
services," which at first help 
implement agile practices, then 
deal with requirements gather- 
ing from the product's owners, 



and then help organizations 
tackle concurrent engineering 
and velocity increases. Its "scal- 
ing services" are designed to 
assist with multiteam project 
management and with blending 
agile practices into the entire 
organization, Metcalf explained. 
Rally expects to ship the tools 
in mid- August. I 
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Now There's Instant Help 
For Enterprise Applications 

Zion Software blends instant messaging, AJAX 



BY EDWARD J. CORREIA 

Instant oatmeal, instant coffee, instant 
gratification... Americans like to have 
things now. Making that happen for soft- 
ware is Zion Software, which last month 
released Instant Help to enable IM- 
based application help systems across an 
enterprise or the Internet. It began ship- 
ping on July 18. 

According to Zion CTO David Fer- 
rero, Instant Help lets developers create 
buttons on a Web page that correspond 
to applications or assistance categories 
within an application. Take, for example, 
an HR application that does not allow 
employees to access their HR informa- 
tion through a browser. "The HR depart- 
ment might have a button [created] that 
employees can press to ask how many 
vacation days they have left," he said. 

The button would initiate an AJAX- 
based IM session between the employee 
and the existing IM client of one or more 
designated HR people whose real screen 
names remain private. At times, buttons 
can be "grayed out" based on rules or staff 
availability. "This aggregates the presence 
information of multiple people in terms 
of that button. You could also set up times 
of day when that help is available," using 
an included rules engine, he added. 

Instant Help works through a compa- 
ny's in-house IM system — Jabber, Lotus 
Sametime or Microsoft LCS — or with 
public IM systems such as AIM, Google 
Talk, MSN and Yahoo Messenger, or a 
combination. Also required is JBuddy 
Message Server, Zion's IM message and 
routing engine for Java SE 1.4 or higher, 
which costs US$30 per user per month. 

Available as a hosted service, Instant 
Help costs an additional $30 per month 
per concurrent session plus a gateway for 
each IM network (Sametime, AIM, etc.) 
to be used. Gateways cost between $1,000 
and $2,000 each. "If a company buys just 
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one concurrent help session, only one 
person can get instant help at a time. If a 
second person needs help at the same 
time, their questions go into a queue," he 
explained. The self-hosted version costs 
$399 per concurrent session. SDKs, 
which include APIs and libraries, are 
available for Java, .NET and ColdFusion. 

Ferrero said that Zion's licensing mod- 
el is among its strongest competitive dif- 
ferentiators. LivePerson, Zion's main 
competitor, prices its LivePerson Contact 
Center based on the number of customer 
service rep (CSR) seats. "A company 
might have five or 10 CSRs, and you pay 
for each of those on a monthly basis, " he 
said. Zion's model, he explained, is more 
like the phone company's. "You might 
have five or 10 phone lines that everyone 
in the company shares." 

Instant Help also permits help ses- 
sions to be transferred to other users. 
"You can have three or four people on 
tech questions and transfer to an engi- 
neer for one-off technical questions," 
Ferrero said. LivePerson would require 
such escalations to use a backchannel 
with the specialist, he added, such as a 
phone call or separate IM session. 

In the future, Zion might permit 
Instant Help buttons to be part of a desk- 
top application's interface. "We contem- 
plated putting buttons in various deployed 
enterprise applications so that users could 
click a button and request help from with- 
in the application," Ferrero said. 

For now, front-end interfaces are 
built using AJAX and HTTP. "From an 
end user's perspective, they come to a 
Web site, click a button and get help," 
he said. Help reps also can be automa- 
tions, or bots. "You could use the bot to 
grab articles based on certain keywords 
[in a query]." Bots count as concurrent 
help sessions. A bot SDK is under 
development. I 
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C/iarf FX for Visual Studio 



The Most Tightly Integrated Data Visualization 
Tool Available for Visual Studio 2005 

Evidence of this is the Smart Tag Wizard that exposes many of the properties to 
select and display in real-time. There is also a Data Wizard which allows you to 
quickly connect to a data source, map specific fields to the chart and instruct the 
chart how to use the data. The new API was designed with the Visual Studio 2005 
object model in mind to make it easier to access complex functionality. Chart FX for 
Visual Studio 2005 adds a DHTML rendering engine that uses the AJAX 
(Asynchronous JavaScript and XML) web development technique to produce chart 
images that allow full interactivity and support state in web applications. The new 
Extensions Manager standardizes the infrastructure for using the Chart FX 
Extensions, such as financial, statistical, maps and OLAP, among others. The Chart FX 
Resource Center provides a "Programmer's Guide", the Chart FX API, an Internet 
Reference and a wealth of samples and charts (with code). Leorn more about the 
seamless integration and powerful features at www.softwarefx.com. 
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NEW PRODUCTS, 



Middleware solutions developer Fiorano Software has released a 
native .NET runtime for its ESB 2006 and SOA 2006 platforms. The 
component adds support for C#, Visual Basic, Visual C++ and all of 
Microsoft's other .NET languages to existing native bindings for C, C++ 
and Java. 



UPGRADES 




Solid Information Technology in late July began beta testing solidDB 
for MySQL, a version of its high-performance transactional database 
storage engine for MySQL Server. It is available under the GPL 
. . . Green Hills Software has unveiled TraceEdge-PMC, a version of its 
TimeMachine debugger for embedded systems that permits collection 
of trace data from PowerPC processors that do not have a trace port 
by diverting it through a PCI Mezzanine Card (PMC). The PMC edition 
joins other TraceEdge products that use real-time trace ports, stan- 
dard PCI slots, target memory and local processor busses . . . Adobe 
Systems has announced the availability of the Flex 2 products for 
developers focused on rich Internet applications. The Flex 2 platform 
includes the company's Flash Player runtime; Flex 
Builder, an Eclipse-based IDE; and Flex Data Services, a 
server-side J2EE application managing data delivery, 
paging and synchronization. The Flex 2 SDK and Flex 
Data Services 2 Express are free of charge; Flex Builder is available for 
US$499, while Flex Data Services 2 is $20,000 per CPU plus mainte- 
nance and support. Flex 2 Builder runs on Windows 2000 and XP, while 
Flex Data Services can support a variety of Linux, Unix and Windows 
server-class systems running appropriate application server software 
. . . Version 2 of Doc-To-Help 2006 was released by ComponentOne 
last month, in both the Enterprise and the Doc-To-Help for Word ver- 
sions, which cost US$999.95 and $749.95, respectively. Component- 
One claims the new release offers users better command-line support, 
flexible linking and publishing options, improved developer support 
and (Rehabilitation Act of 1973) Section 508-compliant output. The 
Enterprise version adds natural search, support for HTML formats, and 
Microsoft FrontPage and Macromedia Dreamweaver integration to the 
basic "for Word" package. Doc-To-Help subscribers will receive the 
updated versions as part of their subscriptions; competitive upgrades 
are also available . . . Little G, a lightweight version of the Geronimo 
application server, has been released in conjunction with Apache 
Geronimo version 1.1. The full-featured 
Geronimo 1.1 adds a configuration and 
management console that provides access to the plug-in architecture 
of the server. It also boasts structural changes designed to improve 
scalability and organization ... On the heels of its acquisition of NetlQ, 
Attachmate in late July released version 6.0 of Verastream Host 
Integrator, its newly acquired screen-based host access solution, with 
several productivity enhancements. Among those are new debugging 
capabilities that reduce the time to diagnose and repair malfunctions. 

Also new are the ability to copy 
objects to ease the creation of 
data designs and the ability to deploy and test those models without 
requiring a local production server. Verastream Host Integrator 
enables developers to capture data and logic with the screen interface 
for use in Web services or other components, such as COM, Java- 
Beans, .NET or XML . . . SlickEdit has released version 3.2 of its code 
editor plug-in for Eclipse, enabling developers to make the tool the 
default editor within any Eclipse-based IDE. The Eclipse platform went 
to version 3.2 in June, and this release keeps pace, according to the 
company. The editor includes such features as comment wrapping, the 
ability to specify tag jump orders and code templates. Available imme- 
diately, the plug-in costs US$199 for new licenses and $99 for 
licensees seeking an upgrade . . . Windward Studios' Windward 
Reports .NET Server Engine 4.1 allows developers using Microsoft's 
.NET platform to generate reports using Windward's Chart and Graph 
output formats, and for the first time the tool provides an XLS output. 
Windward introduced the .NET version of the reporting engine in Jan- 
uary; previously, it was available only for Java. The engine uses J#and 
requires .NET 2.0, according to the company. I 
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Metasploit's Browser Bug Hunt 
Shows Future of Software Testing 



< continued from page 1 

posting a bug for each day of 
the month, the lion's share of 
the bugs Moore turned up 
were in Internet Explorer — 25, 
across both Windows XP and 
Windows 2000. 

But Moore's been trying to 
break other browsers as well, 
and with some success. Apple's 
Safari, KDE's Konqueror, 
Mozilla's Firefox and Opera 9 
all turned up on the MoBB hit 
list for one reason or another. 
Although Moore was careful to 
avoid posting exploit code in 
the MoBB listings, his tools 
gave him the details for the 
recipes that invoke each bug. 

Four of the five tools Moore 
used to ferret out the browser 
flaws are publicly available 
through the Metasploit Project 
site; the last is under test, 
according to Moore. The 
"CSSDIE" tool focuses on 
pushing funky style values 
through CSS (Cascading Style 
Sheets), while "Hamachi" does 
the same with Dynamic 
HTML. A third tool adds and 
removes DOM (Document 
Object Model) elements to find 
problems with implementations 
of DHTML, and finally, "Man- 
gle" creates what its author, 
Michal Zalewski, describes as 
"tiny, razor- sharp shards of mal- 
formed HTML" and feeds 
them to the browser under test 
to detect "NULL pointer refer- 
ences, memory corruption, 
buffer overflows and some- 
times memory exhaustion." 

MIXED REACTION 

Vendor reaction to the MoBB 
revelations was mixed. When 
contacted, Apple and the Mozil- 
la Foundation declined com- 
ment. In a similar vein, Micro- 
soft's public response noted that 
serious bugs had been fixed in a 
recent security update, others 
merely crashed IE, and else- 
where noted that the company 
supported the practice of 
"responsible disclosure... direct- 
ly to a vendor." Moore posted 
the Opera 9 bug as this article 
was being written: Opera Soft- 
ware reports the bug is fixed in 
the upcoming 9.01 release. 

However, the KDE Project 
was willing to speak, with U.S. 
representative Ian Reinhart 
Geiser noting that the bug was 
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Moore's blog promotion demonstrated the need for browser 'fuzz testing/ 



in its database, was expected to 
be fixed in the next release, and 
that the episode demonstrated 
a "powerful feature" of Metas- 
ploit's testing methods. Since 
open-source projects don't 
have the resources to trawl 
through every vulnerability list, 
he noted, KDE and similar 
projects relied on outside input 
and direct notification of bugs. 

Forrester Research senior 
analyst Michael Gavin sees 
Moore's efforts and the Month 
of Browser Bugs, in particular, 
as excellent demonstrations of 
the usefulness of fuzzing tools 
in QA and security testing. 
From his perusal of the MoBB 
blog, he believes Moore has 
handled the situation respon- 
sibly. "He's not releasing code 
that allows you to exploit 
these things; he's giving proof- 
of-concept: 'Here's something 
interesting, and this is how we 
found it.' " 

The important thing, Gavin 
said, is that developers, QA 



and testers all need to under- 
stand that "they could be find- 
ing these kinds of things just as 
well as he can." 

He went on to argue "a large 
percentage of security vulnera- 
bilities would disappear if peo- 
ple tested for these types of 
things." Fuzzing, he said, is 
a good way to test for invalid 
input, which he claimed 
accounted for around 90 per- 
cent of known vulnerabilities. 

When asked if Microsoft was 
living up to its pledge to make 
its software more secure, Gavin 
observed, "There's room for 
improvement." But he conced- 
ed that with the size of 
Microsoft's codebase, vulnera- 
bilities are bound to turn up. 

"The bigger lesson to be 
learned here is to take what 
[Moore's] doing and apply it to 
server-side code," he said, not- 
ing that while crashing a client- 
side browser is a nuisance, a 
compromised server applica- 
tion can be a catastrophe. I 



BROWSER BUG SCORECARD 



Opera 9 (Windows) 1 bug 

Memory corruption triggered by long URL, fixed in 9.01 release. 



Konqueror (KDE 3.5.1 on Gentoo Linux) 
Fix expected in next version. 



1 bug 



Safari 2.0.4 (Mac OS X 1.4.7) 2 bugs 

DHTML flaw crashes browser, KHTML parser allows code execution. 

Mozilla 1.5 (Gentoo Linux, Windows 2000/XP) 2 bugs 

JavaScript errors; 1 bug fixed in version 1.5.0.3, 1 bug fixed in version 1.5.0.5. 

Internet Explorer (Windows 2000/XP) 25 bugs 

Latest IE on XP SP2: 19 

Latest IE on XP SP2 with Outlook/other Office components: 3 

Latest IE on Win2000 SP4: 3 

14 NULL dereference bugs, 4 invalid memory use bugs, 2 stack overflows and 
5 miscellaneous flaws 

Source: browserfun.blogspot.com 
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Tom Francis 

Software Architect 
PKWARE 




More and more development teams are switching to Seapine's Surround SCM. 

That's because Surround SCM makes the switch easy and gives you more. Surround SCM provides 
you with a richer set of source code management features and a more productive work environ- 
ment than other tools. PKWARE switched from Microsoft® Visual SourceSafe® to Surround SCM 
because of Surrounds rock-solid stability, collaboration capabilities, and usability features. Other 
companies are switching for the same reasons. 

Competitive upgrade offer for VSS, CVS, and PVCS users! 

For a limited time, Seapine is offering a FREE named user license when you switch from Microsoft® 
Visual SourceSafe®, CVS, or Merant/lntersolv PVCS® to our award-winning Surround SCM. Plus, 
once you're part of the Seapine family, youll receive a number of unmatched benefits including 
Seapine's world-class Customer Core. Thousands of users have made the switch, and more are 
switching every day. Isn't it time you did and got more from your SCM tool? 

Visit www.seapine.com/swifch to get the full story on why PKWARE made the switch and how 
to take advantage of this special upgrade offer. Or, call 1-888-683-6456 to speak with a Seapine 
product specialist. Mention offer code UG003 to receive your free license. 




*Offer is valid for one named user license per company. 
Visit http://www.seapine.com/switch for complete upgrade details and other licensing information. 

©2006 Seapine Software, Inc. Seapine Surround SCM and the Seapine logo are trademarks of Seapine Software, Inc. 
All Rights Reserved. All other products mentioned are the property of their respective owners. 
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Joe Sturonas 

Chief Technology Officer 
PKWARE 



"PKWARE wanted a product that was flexible enough 
to support the multi-platform development we 
require as we move forward to create the next 
generation of data security products. VSS lacked 
the advanced functionality necessary for parallel 
code work. Surround SCM efficiently enables our 
collaborative development process." 
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Tom Francis 

Software Architect 
PKWARE 



"Most software configuration management tools 
expect users to conform their processes to the tool 
and usually involve IT support to implement. 
Surround SCM is sophisticated enough to work 
with our complex development environment and 
Seapine's high level of responsiveness is impressive." 



^.Seapine Software 

Managing Process, Change & Quality 
Throughout the Enterprise 



10 



NEWS 



Software Development Times . August 15, 2006 . 



www.sdtimes.com 



Embarcadero Revs DB Design Tools 

New ER/Studio adds model validation, data security tags, full session undo/redo 



BY P.J. CONNOLLY 

Embarcadero Technologies re- 
leased ER/Studio 7.1, an 
update to its data architecture 
and database design tools, last 



month. The new version sup- 
ports Sybase IQ and a variety of 
DBMSes from Hitachi, IBM, 
Informix, InterBase, Microsoft, 
MySQL, NCR Teradata, Ora- 



cle and Sybase. 

ER/Studio 7.1 also includes a 
new model validation wizard 
that recognizes both logical and 
physical models and offers more 



than 50 tests to enforce consis- 
tency at an enterprise level. 
Another new feature intended 
to make modelers more produc- 
tive is support for n-tier undo 
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EASY to USE 

Acttvefte ports features an easy-to-use, banded, fully integrated report designer with 
built-in wizards, integrated toolbars, report and field explorer window, print preview 

with bookmarks r taxt s&srch and thumbnails, a Full-featured than control, and a 
detailed help file. With Active Reports, it is easy ta create the kinds of reports you 
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EASY to LICENSE 

Licensing with ActiveReports for .NET ii straightforward and easy to understand. Ttiere 
are no hidden cutis, no £xira licensing Fees and no royalties charged for end users, 
Once you Install the product after purchase, you are free to create and deploy your 
reports as needed, 

EASY to DEPLOY 

ActiveReports makes deploying your reports and end-user reporting capabilities 
easy. The reporting engine is provided as a strtgle managed, strongnamed assembly. 
ActiveReports allows assemblies to be distributed using XCopy or placed in the Global 
Assembly Cache (GACJ. 
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and redo throughout a session. 
ER/Studio "makes it easier to 
look into a database, analyze the 
data that's there, and document 
that data," claimed Nancy 
Blum, Embarcaderos director 
of product marketing. 

Blum noted that while many 
customers know they want to 
secure their data, they often ask, 
"How do I know what data 
to secure?" ER/Studio 7.1 
attempts to address that ques- 
tion by introducing data proper- 
ties that allow database design- 
ers and DBAs to tag data and 
objects by the level of sensitivity, 
a necessary step toward formal- 
ized data governance. She point- 
ed out that although making ser- 
vices available may be a good 
thing, developers "have to 
understand [the nature of] the 
data they're using." 

ER/Studio 7.1 runs on Win- 
dows and comes in a Standard 
"stand-alone" edition, or an 
Enterprise version that offers 
team collaboration features and 
Embarcaderos ER/Repository. I 

Infragistics 
Unites AJAX, JSF 

BY DAVID RUBINSTEIN 

Looking to help developers 
who want to leverage both Java- 
Script and the Java platform, 
software component seller 
Infragistics last month released 
NetAdvantage for JSF 2006, a 
set of AJAX-enabled JavaServer 
Faces components for building 
user interfaces for J2EE appli- 
cations. 

"NetAdvantage for JSF 
shows what is possible with the 
combination of AJAX and JSF," 
said Tom Hammell, Infragistics' 
Java product manager, in a 
news release announcing the 
product. The components let 
users load large data files with- 
out the need for using post- 
backs, the company explained 
in the release. 

The component set, which 
ships with support for Sun's 
Studio Creator development 
suite, includes grids, menus, 
trees and tabs. It can be used in 
applications running on major 
Java application servers, the 
company said. 

NetAdvantage for JSF costs 
US$795 on an annual subscrip- 
tion basis; with priority support, 
it costs $1,290. I 
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TestNG 5.0 Smoothes Out Annotations 

Test tool update reduces confusion when running thousands of tests 



BY ALEX HANDY 

TestNG's ability to organize 
thousands of unit tests has 
improved with the release of 
version 5.0 in late July. 

Cedric Beust, a software 
engineer at Google, explained 
that he began developing Test- 
NG three years ago because he 
believed JUnit was too limited 
in scope for proper enterprise 
use. Beust acknowledged that 
JUnit is the more popular unit 
testing tool for Java, but that his 
own TestNG offers better 
options for handling large num- 
bers of tests. 

"The major feature [in this 
release] is not brand-new; it's 
about more renaming and 
cleanup of annotation names to 
make them more intuitive. Our 
reports are easier to read and 
better organized now. As we 
have more and more users who 
have thousands of tests and 
dozens of groups, it becomes 
really important to make those 
reports easy to read," said Beust, 
who is originally from France. 

But despite being open- 
source, the project has re- 
mained primarily a two-man 
affair. Most of the third-party 
work has been done on making 
TestNG work with IDEs such 
as Eclipse, NetBeans and Intel- 
lij IDEA. But outside of those 
contributions, most of the work 
on the project has been done 
exclusively by Beust and 
Alexandru Popescu, who began 
contributing code soon after 
Beust created TestNG. 

For the future, Beust would 
like to see more contributors to 
the TestNG project, but doesn't 
expect many changes to its core 
functionality. "For the past year, 
there were less features request- 
ed in the core, and we were 
working on productivity around 
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the core, which is good because 
it means the core is working and 
functional enough," said Beust 
of the 600-strong mailing list 
for the tool. 



"I think we're going to see 
stronger integration with Web 
servers so we can drive TestNG 
from remote machines," Beust 
added, saying that he's also cre- 



ating a version that can handle 
distributed tests. "The general 
message is going to be more 
about scaling. For people writ- 
ing thousands of tests, we want 



to make it almost transparent 
for them to use as many 
machines and as much power as 
they have." 

Despite Beust's employment 
at Google, the tool has little 
to do with the company. TestNG 
is a free and open-source tool. 
It can be downloaded at 
www.testng.org. I 
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HP Acquisition Leaves Mercury Test Tools in Limbo 



MERCURY'S LINEUP 




Mercury's product lines are primarily split between management tools and QA tools. The company's numer- 
ous management tools track and control everything from software changes to time management to customer 
demands and compliance. These applications include: 



Application Delivery Foundation 
Application Management 

Administration 
Application Mapping 
Business Availability Center 
Center Management 
Change Control Management 



Demand Management 
Deployment Management 
End User Management 
Financial Management 
IT Governance Center 
Performance Center 
Portfolio Management 



Program Management 
Project Management 
Resource Management 
Service Desk 

Service Level Management 
System Availability Management 
Time Management 



The company's monitoring tools focus primarily on 
watching large-scale business Web sites and com- 
pliance with business process rules. Also, the com- 
pany's Diagnostics and SiteScope tools offer QA 
for the field. 



Mercury's Quality Center is the overarching QA 
tool suite that the company uses as the focal 
point of its testing infrastructure. The company's 
popular LoadRunner load-testing tool also comes 
in dozens of flavors specific to IBM DB2, Oracle 
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Can This Really Work? 

HP's takeover history is rocky. Will things be different? 



BY JENNIFER DEJONG 

Can HP make the Mercury 
acquisition work? 

Research analysts answered 
with a tentative "yes." They said 
Mercury's testing and applica- 
tion management tools align 
reasonably well with HP's Open- 
View network management 
offerings. But they were quick to 
point out HP's flawed record of 
integrating earlier acquisitions, 
and its lack of experience in the 
testing tools arena. 

"HP has a rocky history with 
acquisitions," said ARM Re- 
search analyst Dennis Gaugh- 
an. "But I have higher hopes of 
success this time around." 

Chief among the failed 
acquisitions cited is Compaq, 
which HP acquired in 2002 in a 
stock swap deal worth an esti- 
mated US$25 billion. "There 
were a lot of teething problems 
integrating the various groups," 
noted Bola Rotibi, an analyst for 
U.K.-based Ovum. And when 
HP's former CEO, Carly Fiori- 
na, stepped down last year, fail- 
ure to make the Compaq merg- 
er work was widely perceived as 
a key reason, said Rotibi. "There 
is some fear that could be repli- 
cated with Mercury." 

Less high-profile, but also 
flawed, was the Bluestone Soft- 
ware acquisition. HP bought 
the Java application server mak- 
er for an estimated $500 million 




Carly Fiorina was at the helm when 
HP bought Compaq and Bluestone. 

in 2001. Initially, HP positioned 
the Bluestone application serv- 
er as a stand-alone offering, 
said Jim Jackson, who works for 
HP's technology solutions 
group. But in 2004, HP forged 
a partnership with JBoss, pledg- 
ing its support for the open- 
source application server. 

The thinking behind the 
Bluestone acquisition was com- 
pletely unclear, said Carey 
Schwaber, an analyst at Cam- 
bridge, Mass. -based Forrester 
Research. "But I don't think 
there is as much opportunity to 
do badly with Mercury." 

The market for application 
servers was still emerging when 
HP bought Bluestone, but 
that's not the case with Mer- 
cury, she said. "It is a mature 
company, and the market for 



testing tools is mature." 

More troubling is HP's lack of 
experience in the testing tool 
arena. "When you look at what 
HP is saying, they are not talking 
about testing," said Schwaber. In 
making the announcement, HP 
articulated its vision for integrat- 
ing its OpenView network man- 
agement offerings with Mer- 
cury's tools for application 
management, she said. 

"Testing was given only the 
most cursory mention [by HP]," 
echoed Ovum's Rotibi. But 
Mercury derives 60 percent of 
its revenue from QA tools, she 
said. "At the end of the day, 
they are a testing company." 
And HP has no background in 
the testing world, she said. 

Integrating network man- 
agement and application man- 
agement tools still leaves some 
holes, Schwaber said. "It will 
still treat actual development 
as a black box, and that is a 
problem." 

A key reason why IDC ana- 
lyst Stephen Elliot remains 
optimistic about the deal is 
Mark Hurd, who took the helm 
as HP's CEO and president in 
March 2005. 

"Hurd brings a new perspec- 
tive on what it means to integrate 
an acquisition," he said. "With 
Hurd there is a back to basics 
[mentality], a focus on market 
share and customers." I 



< continued from page 1 

the acquisition to be an easy 
touchdown. 

Carey Schwaber, an analyst at 
Forrester Research, said the ac- 
quisition "definitely raises some 
new challenges" for HP. "It's a 
new market for HP. They've not 
been in testing before. They 
have made some moves into the 
application development space, 
and they've ended badly." 

But, despite HP's spotty 
acquisition track record, 
Schwaber does not expect the 
company to ignore Mercury's 
testing customers. "Consider- 
ing the number [of customers], 
which is more than 10,000, HP 
will definitely be very careful to 
do no harm. I don't anticipate 
any real change for [those cus- 
tomers], other than a very 
pointed introduction to the rest 
of the HP software portfolio. 
Mercury had been pitching its 
systems management capabili- 
ties to these customers already, 
so they're kind of a soft target at 
this point," added Schwaber. 

On the SOA side of the fence, 
the Mercury acquisition finally 
brings Systinet's offerings into 
the HP family. According to 
Jason Bloomberg, senior analyst 
at ZapThink, HP bid for Systinet 
earlier this year. Mercury ulti- 
mately won that bidding war, 
however, and Bloomberg be- 
lieves that the Mercury acquisi- 
tion was somewhat influenced by 
the fact that HP still had designs 
on the Systinet repository and 
other SOA tools. 

"HP has been strong in SOA 
for a while, and Mercury has as 
well, especially since they 
acquired Systinet," said Bloom- 
berg. "By putting HP OpenView 
in the initiative, there's a clear 
story these sides are telling." 

HERE COMES THE JUDGE 

For Mercury, the acquisition has 
a distinct benefit: It puts to rest 
many of the investment and 
bookkeeping controversies that 
have plagued the company for 
the past two years. 

Last year, the company was 
forced to restate its earnings for 
2002, 2003 and 2004, due to the 
alleged back-dating of stock 
options given to employees. 
Even HP's Hurd acknowledged 
that these issues could be 
addressed in the eventual pur- 
chase agreement, possibly 
through reserves held back from 
the purchase price pending the 



refiling of earnings reports. 

But Bloomberg believes that 
Mercury's legal troubles are 
actually being solved by this 
acquisition. "Once the acquisi- 
tion is closed, there'll be no 
more company called Mer- 
cury," said Bloomberg. "It's a 
shortcut out of trouble." 

Schwaber said that HP had 
originally put in a bid for Mer- 
cury six months ago, but that 
the final price tag was signifi- 
cantly higher than the original 
bid. This, said Schwaber, was an 
indication that rival storage 
company EMC had started a 
bidding war for the company. 

CA CTO Al Nugent said that 
the purchase was a good one for 
HP, but added that the acquisi- 
tion does leave some holes that 
need to be filled if HP wants to 
compete in the IT management 
space. "I think what HP has dis- 
covered is there's a lot more to 
end-to-end IT management 
than being able to provide the 
network and provide the service 
desk. There's more to it than 
managing a network and manag- 
ing an application," he said. 

"You would continue to 
compare what CA is doing to 
what HP is doing," said Zap- 
Think's Bloomberg. "They've 
both been through some man- 
agement changes. They've both 
been through some of the SEC 
problems," he said. 

"At this point, it looks like CA 
is slightly ahead because they've 
completed their acquisitions," 
said Bloomberg, adding that, for 
HP, "there may be some things 
missing, but there's fewer pieces 
missing than before." 

HP's Hurd claimed the 
acquisition is a perfect fit, citing 
the near-total lack of overlap 
between the companies' prod- 
uct lines. He hinted that the ini- 
tial integration period will be 
marked by significant cost-cut- 
ting. And that, said Schwaber, 
will be a great indication of how 
the acquisition is going. 

"We'll want to look at who 
stays at Mercury with HP," said 
Schwaber. "A lot of people at 
Mercury grew up at Mercury, so 
staff turnover will be a big deal. 
We want to look at whether HP 
provides technology support at 
the rate Mercury did. [Mercury] 
had amazing environment sup- 
port." Added Schwaber: "Mer- 
cury wasn't the most thrifty com- 
pany, so there's a little bit of 
[cost-cutting] opportunity." I 
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SOA Adoption Brisk, Varies by Industry 



< continued from page 1 

thy as a means to reuse compo- 
nents within an organization, 
but have also enabled Web ser- 
vices to become a worldwide 
infrastructure foundation. 

John Andrews, president of 
Evans Data, attributes the 
jump in adoption to an increase 
in education. "People are learn- 
ing the advantages of SOA in 
technology and in the business 
side," he said. "There's no ques- 
tion that SOA is beneficial. This 
allows companies to extend 
resources to fund these efforts." 

Aberdeen characterizes SOA 
as "a major technology wave dri- 
ven by the unbearable costs of 
technology integration, which is 
programmer labor-intensive." By 
breaking applications into com- 
ponent services, SOA simplifies 
the line-of-business process 
changes mandated by manage- 
ment, Aberdeen says, causing IT 
to embrace SOA as a "long-term 
cost reducer and tool to acceler- 
ate time-to-market." 

But according to Andrews, 
companies will need to spend 
significantly before they begin to 
realize those cost savings. 



"Companies have been strug- 
gling with the upfront invest- 
ment it takes to implement an 
SOA architecture," he said. "The 
whole emphasis is on code and 
component reuse. Until you get 
to that stage, it costs more and 
takes more time," he said. 

In the past, Andrews said, 
when companies put a project 
together to solve a business 
need, they were solving the 
problem for a single-business 
audience. "Now you're looking 
at how to take advantage of 
reusability across as many ser- 
vices as possible. It's a more 
complete design process 
upfront," and complex in terms 
of implementation, he added. 
"In time, though, you'll have 
that reusability, so it should pay 
for itself." 

SOA SILOS 

With the expense and resource 
drain involved in SOA imple- 
mentation, the results of Gart- 
ner's industry study showing 
banking, insurance, investment 
and health-care industries as 
top adopters might on the sur- 
face seem quite logical. 



What is the current number of production 


Web services in your IT organization this year? 


Number of services 


Percent of responses 





11.4% 


1-2 


22.3% 


3-4 12.0% 


5-10 24.3% 


11-20 11.7% 


41-100 


8.8% 


51-100 


5.0% 


More than 100 


a ao/ q Source: Web Services Development 

Survey 2006, Evans Data. 



Beyond financial, the rea- 
sons cited in the November 
report for the high adoptions 
rates of those industries might 
not be so obvious. 

In banking, Gartner reported 
the highest adoption rates at 78 
percent. Competition is fierce, 
and banks, regardless of size, 
must respond quickly to changes 
in "market and customer 
demands, channel offerings and 
shifts in competitor strategies," 
the Gartner report stated. 

Insurance companies, on the 
other hand, have used SOA as a 
way to deploy functionality of 
their vintage applications to 



agents and brokers via the Web. 
As a result, Gartner said, insur- 
ance companies have changed 
the way they store claim and 
policyholder information and 
the way claims, policies and cus- 
tomers relate to one another. 

Such a structure could be 
thought of in terms of ERP 
SOA, one of three deployment 
types that Aberdeen's research 
identified. ERP SOA deploy- 
ments, in place in about one- 
sixth of responding companies, 
are defined as a preferred inte- 
gration method into applications 
and as a low-cost SOA toolkit for 
integration of ERP data out to 



other applications or processes, 
as in the insurance industry. 

The other two methods, SOA 
Lite and Enterprise SOA, occu- 
py opposite ends of the deploy- 
ment spectrum. Aberdeen 
found that the SOA Lite catego- 
ry is dominated by small-to-mid- 
size companies and users of Mi- 
crosoft .NET technologies. SOA 
Lite is predominantly focused 
on Web services that are not 
mission-critical and "do not 
require high-volume scalability, 
high availability and failover, 
management, governance and 
security." Enterprise SOA de- 
ployments do require all those 
capabilities, and are generally 
synonymous with companies 
with annual revenue of at least 
US$1 billion per year. 

Other significant hurdles 
remain, Andrews said, includ- 
ing security and testing. 
"Because you have to do inte- 
gration testing across architec- 
tures, finding issues also is a 
major inhibitor when IT is 
already being accused of being 
too slow to react to business 
needs. But over time, it will 
expedite reusability." I 
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JS-Sorcerer Has Command Line in Its Power 



BY ALEX HANDY 

Vi and Emacs users can now 
benefit from the capabilities of 
JS-Sorcerer, the JavaScript 
development tool from DHI 
Technologies, which works not 
only within Eclipse but also 



from a command line. 

JS-Sorcerer is a US$199- 
per-user tool that offers syntax 
checking, variable type and 
flow analysis, and type-safe 
linking for external files to 
JavaScript developers. 



Among the many new fea- 
tures of JS-Sorcerer 2.0 are addi- 
tional file integration capabilities 
that allow developers to seam- 
lessly combine HTML and 
JavaScript files into singular 
cohesive wholes. Also added in 



this version is a dependency gen- 
erator that tracks the require- 
ments inside of JavaScript files, 
and functions that help manage 
JavaScript libraries and the order 
in which they load. 

"We believe that the initial 



Web User Interfaces, evolved. 

The m«" a-dvfl'K&d m* c:C Ai AX dAok'odi yj cjanirfr'c br AlSP.NET" 




ComponentArt 

VY6D«UI fgrA5P.NET 

Try Wab L'i 2006.1 ioday al www.eornpQnmtartawn 






investment of several days to 
learn JS-Sorcerer, and to modify 
the structure of legacy applica- 
tions, is quickly returned by the 
long-term benefit it offers to 
serious Web application devel- 
opers," said Roger Franklin, 
CEO of DHI. 

JS-Sorcerer 2.0, like its earli- 
er incarnations, also functions as 
an Eclipse plug-in, though this 
version supports the Web Tools 
Platform as well. JS-Sorcerer 
2.0 runs under Linux, Mac OS X 
and Windows. A 15-day free 
trial can be downloaded at 
www.dhitechnologies.com. I 

ATALASOFT: 
PUT AJAX ON 
THAT IMAGE 

BY ALAN ZEICHICK 

The newest version of Atala- 
soft's .NET imaging toolkit, 
Dotlmage, focuses on improv- 
ing the interactivity of ASP.NET 
applications by adding new 
AJAX features, according to the 
company, and also has new 
capabilities for automatically 
cleaning scanned images and 
applying photographic effects. 

Dotlmage 4.0, which 
shipped at the end of July, now 
has an AJAX-based thumbnail 
control that lets end users view 
and process Web-based images 
without postbacks, according to 
the company. 

The latest release also adds 
new component modules for 
advanced document cleanup and 
advanced photo effects. The 
cleanup module removes specks, 
borders, broken or dotted lines, 
holes and other unwanted ele- 
ments from scanned or other 
images being processed by the 
application. The photo effects 
module, designed for high-end 
photography and prepress appli- 
cations, can be used to apply col- 
or corrections, boost shadows, or 
improve the appearance of skin 
tones in photographs. 

The Dotlmage component 
suite, which works with both 
.NET 1.1 and .NET 2.0 assem- 
blies, is available in two ver- 
sions. For photo processing, the 
cost is US$499 per developer 
seat, plus $329 for each produc- 
tion deployment server. For 
document imaging. Dotlmage 
costs $1,799 per developer seat, 
plus $999 for the production 
deployment server. I 
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Functional Testing Converges With Consulting Service 



BY ALEX HANDY 

Convergys has introduced an 
automated testing tool that 
aims to place test design in the 
hands of novice users. Easy Test 
is designed to build functional 
tests through a point- and-click 
interface. The tool also sup- 
ports keyword-, table- and data- 
driven tests, which can be built 
in a plain language-based 
scripting engine. 

According to Andrea Ayers, 
the company's president of gov- 
ernment and new markets, Con- 
vergys built Easy Test to address 
needs that were unmet by com- 
mercially available products. 
"After client requests to make 
this solution commercially avail- 
able, we created Convergys 
Testing Solutions, including the 
Convergys Easy Test application 
testing tool," she said. 

The company uses its soft- 
ware tools heavily in its consult- 
ing services. According to Jean 
Herve Jenn, Convergys' presi- 
dent of international opera- 
tions, tools are only one of the 
many solutions his company 
offers, as is evidenced by Con- 
vergys' work with German tele- 
vision company Unity and its 
subsidiary, Arena. 

"Working with Unity and 
Arena enabled us to apply our 

Web Service 
For Data Storage 

BY P.J. CONNOLLY 

Online digital media service 
provider Streamload made a 
move last month toward the 
enterprise market by launching 
its eponymous Web service, tar- 
geted at developers and content 
providers who require secure 
and reliable data storage and 
online services. 

Streamload Web Services 
consists of two components, the 
first being the free-for-use 
Streamload Platform API, 
which allows developers to 
access and build on the features 
of MediaMax, the company's 
online media center. 

The second part of the Web 
service is Streamload Storage 
and Processing Services, 
focusing on the needs of digi- 
tal media consumers and de- 
velopers for large amounts of 
online storage, rapid media 
transcoding, and broad-scale 
file transfer without the cus- 
tomer incurring big costs. I 



operational expertise and 
proven software products to 
configure and implement a 
solution that meets their partic- 
ular billing and customer care 
requirements and aggressive 



implementation timeline," said 
Jenn. 

Easy Test runs on Windows 
and costs US$12,000 per user. It 
is a stand-alone testing suite 
that can be used even before 



work on a piece of software is 
complete. Testers are also given 
the ability to step through errors 
found in an application without 
the need to stop a test and start 
over once a bug has been found. 



Convergys said that its tool, 
released in late June, is primar- 
ily aimed at organizations that 
are seeking to expand internal 
testing by placing unskilled 
testers on QA projects. I 
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EclipseWorld 2006 Focuses on Callisto 



BY EDWARD J. CORREIA 

Web Tools, the Rich Client Plat- 
form and the Eclipse Test & 
Performance Tools Platform are 
new tracks at EclipseWorld 
2006, taking place Sept. 6-8 in 
Boston. There are also several 



classes and a tutorial dedicated 
to Callisto, the most recent re- 
leases of the Eclipse IDE and 
related projects. 

One of this year's most pop- 
ular technical classes, based on 
early registration information 



from organizer BZ Media, 
which publishes SD Times and 
the monthly Eclipse Review 
magazine, appears to be "Build- 
ing Commercial-Quality Plug- 
ins for Eclipse," from Eric 
Clayberg and Dan Rubel, 



authors of a popular book of the 
same name. 

The conference keynote 
will be delivered by Mike 
Milinkovich, executive direc- 
tor of the Eclipse Foundation, 
on Thursday, Sept. 7. I 
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Microsoft Revs 
Software Hosting 

BY P.J. CONNOLLY 

Although application service 
providers never took off the way 
they were supposed to during 
Bubble 1.0, the software-as-a- 
service model still recommends 
itself to customers large and 
small. Microsoft is making its 
own play for the SaaS dollar, with 
the recently introduced Win- 
dows-based Hosting Version 4.0, 
which was to become available 
worldwide on Aug. 4. 

The new package includes 
support for SQL Server 2005 
and ASP.NET 2.0, incorporating 
best practices and other guide- 
lines gleaned from customer 
experiences since those prod- 
ucts' release last fall. 

According to Donovan 
Deakin, Microsoft's senior solu- 
tion product manager in charge 
of Windows-based hosting, 
Microsoft is "seeing much more 
data-driven and dynamic Web 
sites out there that require 
scripting technologies." 

Windows-based Hosting is 
one of three so-called "Solu- 
tions" that Microsoft offers ser- 
vice providers, with the compa- 
ny's hosted messaging and 
collaboration package and Win- 
dows-based Hosting for Appli- 
cations. By the company's 
count, 142 service providers 
worldwide use Microsoft's Win- 
dows-based Hosting. 

German Web host Interge- 
nia services more than 2.2 mil- 
lion active sites on over 20,000 
dedicated servers — making it 
the world's second-largest Web 
hosting provider, by Netcraft's 
reckoning — and almost all 
(more than 95 percent) of these 
sites run on Windows-based 
Hosting 3.5. I 
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Enlightenment Through initialization 



< continued from page 1 

the companies are seeing eye- 
to-eye. 

IBM, unlike Novell, views 
Xen as only one piece of a larger 
virtualization puzzle. Kevin 
Leahy, director of virtualization 
strategies at IBM, said that his 
company sees its role as provid- 
ing overall management tools 
that can take care of multiple vir- 
tualization environments at once. 

Sun, on the other hand, has 
been working with the Xen team 
to build up support for running 
Solaris under the virtualization 
platform, and HP has been con- 
tributing its minds to improving 
the platform. 

Meanwhile, Microsoft 
announced that it plans to 
allow Xen to interoperate with 
its own hypervisor. 

Jim Ni, group product man- 
ager of the Windows Server 
division at Microsoft, said that 
Longhorn will include a num- 
ber of features that make virtu- 
alization a fundamental part of 
the operating system. "We're 
putting something we call 
Enlightenment in the core 
operating system, which allows 
the OS to understand it's virtu- 
alized. So Linux will run on top 
of Windows Server Longhorn." 

Ni said that Microsoft's agree- 
ment with Xen Source will help 
to make Linux run more smooth- 
ly on Windows, and to allow Xen 
environments to transfer seam- 
lessly to the new Windows virtu- 
alization platform. Ni also said 
that Microsoft will modify Win- 
dows to make it better able to 
run under Xen on other operat- 
ing systems. 'Windows does run 
on third-party virtual machine 
monitors. It runs on Xen Enter- 
prise, and Microsoft is going to 
provide commercially reason- 
able efforts to support premier- 
level customers," said Ni, who 
refused to clarify what "commer- 
cially reasonable efforts" means. 

RIVAL SPEAKS OUT 

But that agreement isn't en- 
tirely to taste for rival virtual- 
ization company VMware. 
Raghu Raghuram, VMware's 
vice president of platform 
products, claimed that Mi- 
crosoft is being disingenuous in 
its statements about the Xen 
Source agreement. 

"This is a one-way arrange- 
ment where Microsoft will allow 
Linux to run on future Microsoft 
hypervisors through translated 



calls to the hypervisor when 
Windows is controlling the hard- 
ware, but not the other way 
around. Under this arrange- 
ment, Longhorn Enlighten- 
ments will not be ported or 



licensed to run on a Xen hyper- 
visor," said Raghuram in a pre- 
pared statement. "It is notable 
that Microsoft's announcement 
is being made about a hypervi- 
sor whose first release is roughly 



two years away or more, and 
while the Linux hypervisor 
interfaces are still being dis- 
cussed in the community." 

Raghuram went on to state 
that Xen is not nearly as mature 



as his company's own virtualiza- 
tion platforms, which debuted 
in 2001. 

Raghuram said that VM- 
ware's offerings are able to treat 
a pool of servers as a singular 
entity to be provisioned as need- 
ed, and that Xen does not yet 
offer the capabilities needed for 
large enterprise deployments. I 
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Wind River Linux Ready for Real Time 

Focuses on handsets, carriers; contributes code to kick-start Eclipse projects 



BY EDWARD J. CORREIA 

Wind River Linux is ready 
for handsets. So says Wind 
River Systems, which 
unveiled its fourth Linux 
release on July 31, target- 
ing ARM-based devices 
with a kernel footprint it 
claims comes in at less 
than 1MB. 

"Wind River is now a 
viable, mature Linux 
company with a solid 
product line," asserted 
Glen Seiler, Wind River's 
senior manager for Linux 
platforms. Wind River 
Linux 1.3 is the first com- 
mercial implementation 
based on Linux kernel 
2.6.14, released in Octo- 
ber, the company claims. 

Seiler said the latest 
kernel includes signifi- 
cant updates to the pre- 
emption patch developed by 
Ingo Molnar, and solves 
mutexes and other real-time 
performance-related issues. 
"We believe this is a better 
solution than prior kernels 
for aerospace and carrier 
grade customers [because of] 
its high-resolution timers 
and core performance-related 
functionality." 

The platform also now 
includes enhancements to 
networking protocols and file 
systems, and increased hard- 
ware architecture support. It 
also is OSDL-certified com- 
patible with its Carrier Grade 
3.2 spec released in March, 
Seiler said. The updates are 
included in the Linux editions 
of Wind River's General Pur- 
pose Platform as well as its 
Consumer Devices and Net- 
work Equipment platforms, 
which also target x86 and 
PowerPC platforms. 

Seiler said the distribution 
reduces the Linux footprint 
in large part by its use of 
uClibc, the C library for 
embedded systems that is 
smaller but mostly compatible 
with the GNU C library Glibc. 
Most applications written for 
Glibc require just a recom- 
pile. Wind River's distribution 
also now supports the Busy- 
Box small-footprint Unix utili- 
ty package and flash file sys- 
tems. The entire distribution 
can be implemented on a 
device in about 4MB, he said. 




'Wind River is now a viable, 
mature Linux company 
with a solid product line. ' 



-Glen Seiler, senior manager 
for Linux platforms 

TOTAL ECLIPSE 

Wind River also has made signif- 
icant code contributions to the 
Eclipse Foundation— 300,000 
lines of code in all — that it says 
are designed to help speed up 
the C Development Tools 
(CDT) project as well as its own 
Device Software Development 
Platform (DSDP) project. 

Among its DSDP contribu- 
tions will be Terminal View, 
which will give Eclipse devel- 
opers the ability to peer inside a 



running device via serial con- 
nection from within the IDE. 
"For device developers, serial 
connectivity is one of the most 
common ways a developer gets 
debug information from a 
device," said Steven Heintz, 
Wind River's director of prod- 
uct management for developer 
tools. "Rather than going to an 
external program to see what's 
going on, this makes that a 
seamless experience," he said. 

Wind River will also 
enhance the editor's code for- 
matting symbol navigation 
capabilities, he said. 

For the DSDP's device 
debugging project, the compa- 
ny is working on an extensible 
Eclipse debugging model — 
code-named Riverbed — to 
allow debugging views to coin- 
cide with the actual target 
architecture. "That's one of the 
key projects because an ARM 7 
has fewer registers than an 
ARM 11. This will allow them 
to display the right number," 
Heintz said, for example. 

To make that possible for 
the DSDP, Heintz said changes 
to Eclipse's core framework 
were required. Those changes 
were implemented with Callis- 
to. "Wind River and other 
DSDP companies have had a 
positive impact on Callisto, lay- 
ing the groundwork for plug- 



gable debuggers and editors to 
exist. This will benefit not only 
device software developers but 
all C and C++ developers using 
Eclipse," he said. 

Wind River also is working 
on creating pluggable parsers. 
Said Heintz: "The initiative is to 
break the parser from the edi- 
tor so you can use the default 
parser in CDT or plug in a com- 
mercial parser," to allow parsers 
to be matched with languages. 
"There are different 
ways to do parsing for C 
and C + + , and it's more 
difficult to do effective 
parsing for C than for, 
say, Java, which is 
strongly typed," he 
added. Wind River will 
contribute code from 
SNiFF+ parsing tech- 
nology it acquired with 
ISI in 2001. 

The DSDP's target 
management project 
also will get a boost, but 
more from IBM than 
Wind River. The two 
will work together to 
integrate the project 
with IBM's Remote Sys- 
tem Explorer, which 
permits Eclipse to con- 
nect to remote Linux 
and Unix systems, see 
and edit files with 
Eclipse editors, and 



compile and execute source 
code remotely. "We're con- 
tributing code in conjunction 
with that [to] make it more tar- 
get-oriented so you can connect 
to and manage multiple tar- 
gets," said Heintz. 

Heintz said that projects 
under way now should reach 
completion by next year's joint 
release in June with regular 
milestone releases in the 
meantime. I 




'Serial connectivity is one 
of the most common ways 
a developer gets debug 
information from a device/ 

-Steven Heintz, director of product 
management for developer tools 



AppForge Customers Prompt Shift in Strategy 

Company finds users want runtime for developing, deploying customer-facing apps 

same people doing the baggage 
handling software are also 
doing the Web site," he said. 

To address the change in 
customer buying patterns, App- 
Forge later this month will offi- 
cially unveil a new licensing 
policy that will adjust volume - 
based pricing and simplify 
application deployment with 
consumers in mind. The run- 
time will be included with the 
application. "End users don't 
want to know there's a runtime, 
and software companies don't 
want them to know," he said. 
Exact pricing was not set at 
press time. 

The Crossfire runtime com- 
ponent runs natively on all 
devices except the BlackBerry, 
where it runs in a JVM due to 
carrier concerns. I 



BY EDWARD J. CORREIA 

About eight months ago, App- 
Forge began to notice a shift in 
customer buying patterns. The 
company, which develops and 
markets a Visual Studio add-on 
for mobilizing enterprise appli- 
cations, noticed that customers 
were suddenly buying more 
client licenses. A lot more. The 
company this month will 
reduce its volume pricing and 
adjust other licensing policies 
to reflect the new trend, it says. 
"We went from selling about 
1,000 licenses a month [total] to 
seeing deployments of 1,000 
licenses a month from [individ- 
ual] customers," said AppForge 
president Gary Warren. One 
customer, he said, was talking 
about purchasing 100,000 
licenses a year. 



After some analysis and 
group head-scratching, Warren 
said they realized that cus- 
tomers had begun to use Cross- 
fire — the company's flagship 
runtime environment for target- 
ing BlackBerry, Palm OS, Sym- 
bian and Windows Mobile — to 
develop and deploy customer- 
facing applications, a departure 
from typical enterprise deploy- 
ments. "Customers had started 
using Crossfire not only for 
their line-of-business apps, but 
also to turn a Treo or BlackBer- 
ry into a Web services terminal." 

Crossfire extends Visual Stu- 
dio's drag-and-drop interface to 
allow targeting of mobile 
devices using .NET languages. 
Its native-like apps offer advan- 
tages over mobile browser- 
based apps for accessing Web- 



based services, Warren 
claimed, because of the inter- 
mittency of wireless connec- 
tions. "The mobile browser 
doesn't work," he said, claiming 
they are slow and hard to use. 
"You need software running on 
the device," he said. "There's no 
worries about phishing or other 
hacks because the client talks 
only to your site," he added, 
speaking of security. 

Warren said that while the 
AppForge customer base now 
potentially includes banking, 
airline, medical services and 
other industries that develop 
customer- facing apps, its sales 
and marketing strategies will 
not change significantly. "It's 
more of an evolution, because 
the IT departments are still in 
charge of development. The 
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In the beginning, the strategy seemed 
obvious. Show development man- 
agers how the code their teams write 
can be compromised, and they will 
buy application security tools designed to 
help prevent the problem. 

But, according to application security 
tool makers, things haven't turned out 
that way. Convincing development man- 
agers to adopt the source-code analyzers 
and black-box testing tools they sell has 
proved difficult, the tool makers 
acknowledged. 

"It was naive to think developers 
would take up application security on 
their own," said Roger Thornton, 
founder and chief technology officer for 
Palo Alto, Calif.-based Fortify Software. 
They are already under a lot of pressure, 
he said. "Everyone is asking them for 
more features, faster." 

Getting developers to adopt security 
tools is a tricky thing, added Mike 
Weider, founder and chief technology 
officer for Waltham, Mass. -based 
Watchfire. They are accustomed to writ- 
ing code and handing it off to QA, he 
said. "They don't see testing as part of 
their role, and using the tools slows 
them down." 

What's more, the popular sales tactic 



of analyzing developers' code and iden- 
tifying where and why the application is 
vulnerable to attack didn't exactly win 
developers over, noted Caleb Sima, 
founder and chief technology officer for 
Atlanta-based SPI Dynamics. "When 
you come along with a tool that shows 
developers what they did wrong, that's a 
frustrating experience," he said, which 
led many developers to rebel. "The 
developers said, T don't want you point- 
ing out more problems for me. Just let 
me do my job.'" 

GETTING THE MESSAGE 

In spite of these hurdles, application 
security tools are making their way to 
developers' desktops, albeit by a more 
circuitous route. 

Source-code analyzers, which scan 
code against a database of known vulner- 
abilities, and black-box testing offerings, 
which find security holes by attacking an 
application in much the same way a hack- 
er might, are typically driven into devel- 
opment by the security professionals, 
according to the tool makers. Charged 
with carrying out mandates from top 
management, security professionals are 
setting policies that require development 
teams to adopt the tools, they said. 
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PENDING FOR SECURIT 



Products geared to testers and 
developers, such as source- 
code analyzers and black-box 
testing tools, are growing in 
popularity, IDC noted in its 
study. The overall market also 
includes security management 
and network security software. 



Revenue 




(projected) 



$1.12 billion 



$1.62 billion 

$1.37 billion (projected) 



All figures in U.S. dollars 



Source: "Worldwide Security and Vulnerability Management Software 2005-2009 Forecast and Analysis: 
Taking Control of the Security Environment, " IDC, December 2005 



Until recently, security professionals 
were concerned largely with network-lev- 
el security, which meant implementing 
firewalls and intrusion detection systems. 
But the importance of addressing security 
at the application level has made its way 
onto their radar screens, said Sima. "They 
know the firewall is not enough," he said. 
"The message has gotten through." 

Now that companies recognize the 
problem, "we have moved beyond mis- 
sionary selling," added Watchfire's 
Weider. 

It is hard to say to what extent the 
tools are selling, as research firms have 
not estimated the size of the application 
security market alone. But an IDC 
report published in December 2005 — 
"Worldwide Security and Vulnerability 
Management Software 2005-2009 
Forecast and Analysis: Taking Control 
of the Security Environment" — projects 
that the overall security market, which 
also includes network security and secu- 
rity management tools, will grow to 
more than US$3 billion by 2009. The 
report noted that software security vul- 
nerability products geared to develop- 
ers and QA professionals are growing in 
popularity. 

Market projections aside, develop- 
ment teams are only just beginning to 
grasp the implications of building security 
into the application development process. 
"They are asking, 'How do I build appli- 
cation security into the fabric of my com- 
pany?'" said Kevin Kernan, CEO for 
McClean, Va.-based Secure Software. 

Given the cultural changes that 
adopting an application security strategy 
entails, the answer to that question is 
still evolving. But a few key things are 
clear, the tool makers said. To develop 
applications robust enough to withstand 
Web attacks, companies must address 



security in every phase of development, 
beginning with requirements. Also 
essential is employing a dual approach 
that includes both white-box and black- 
box testing tools. Both offerings should 
be tied to the IDE in which the devel- 
oper works, and they should strike a bal- 
ance between offering enough informa- 
tion to be useful, but not so much that 
they slow developers down, said Nick 
Allen, director of marketing for Burling- 
ton, Mass. -based Klocwork. "You don't 
want to overwhelm developers with too 
much information." It's best to give 
them some latitude, letting them specify, 
for example: "Show me only the most 
critical vulnerabilities," he said. 

WHITE BOX, BLACK BOX 

Source-code analyzers, also known as 
white-box security tools, scan source code 
looking for well-known vulnerabilities that 
hackers could exploit with attacks such as 
SQL injections, or cross-site scripting 
errors. White-box tools let developers see 
the actual source code, said Secure Soft- 
ware's Kernan. "They walk you through it, 
showing you the tree structure behind the 
flaws you have discovered," he said. 
"Here's where the [vulnerability] originat- 
ed; here's how to fix it." 

By contrast, black-box offerings, also 
known as penetration testing tools, offer 
no such window into the application. 
They simulate the behavior of a hacker 
in order to identify where the vulnera- 
bilities lie. "They don't offer any contex- 
tual information," said Kernan. "You 
can't see the inside [the black box]." 

But both approaches play a role, he 
said. White-box tools let developers ana- 
lyze code as they work, while black-box 
tools are deployed during testing. "You 
want to be comprehensive and accu- 
► continued on page 24 
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rate," added SPI Dynamics' Sima. Com- 
bining the two technologies is the best 
way to do that, he said. 

If secure coding efforts are to suc- 
ceed, development managers need to 
start thinking about application security 
long before a line of code gets written. 
One meaningful way to do that is to cre- 
ate requirements use cases that specify 
"what you don't want the system to do, 
not just what you want it do," said IBM 
Rational program director Ashok Reddy 
For example, a use case could enable a 
buffer overflow, a commonplace pro- 
gramming error that can result in a secu- 
rity breach, he said. 

IBM does not provide white-box or 
black-box security tools, but offerings 
from partners, including SPI Dynamics, 
and San Francisco-based Coverity, plug 
into the Rational Software Development 
Platform, said Reddy. 

Focusing on security issues in 
requirements is key to helping develop- 
ment teams address security from the 
get-go and throughout the application 
life cycle, the tool makers said. That's an 



THE TOP 10 APPLICATION SECURITY THREATS 




The Open Web Application Security Pro- 
ject (OWASP) is a not-for-profit founda- 
tion that provides guidelines to help 
organizations develop and maintain 
secure code. It monitors security threats 
and publishes the OWASP Top Ten, a list 
of the top vulnerabilities, which also pro- 
vides remediation advice. Here is the 
current list. 

Unvalidated input: Information from Web 
reguests is not validated before it is 
used by a Web application, allowing 
attackers to exploit these flaws to attack 
back-end components through a Web 
application. 

Broken access control: Restrictions on 
what authenticated users are allowed to 
do are not properly enforced. Attackers 
can exploit these flaws to access other 
users' accounts, view sensitive files or 
perform unauthorized functions. 

Broken authentication and session man- 
agement: Account credentials and ses- 
sion tokens are not properly protected. 
Attackers that can compromise pass- 
words, keys, session cookies or other 

entirely new mindset for most compa- 
nies, noted Watchfire s Weider. "Securi- 
ty was something you [worried about] 
retroactively, after the fact." 

Even though development managers 
are responsible for addressing security 



tokens can defeat authentication restric- 
tions and assume other users' identities. 

Cross-site scripting: The Web application 
can be used as a mechanism to transport 
an attack to an end user's browser. A suc- 
cessful attack can disclose the end user's 
session token, attack the local machine or 
spoof content to fool the user. 

Buffer overflow: Web application compo- 
nents in some languages that do not 
properly validate input can be crashed 
and, in some cases, used to take control 
of a process. Components can include 
CGI, libraries, drivers and Web applica- 
tion server components. 

Injection flaws (such as SQL injections): 

Web applications pass parameters when 
they access external systems or the 
local operating system. If an attacker 
can embed malicious commands in these 
parameters, the external system may 
execute those commands on behalf of 
the Web application. 

Improper error handling: Error condi- 
tions that occur during normal operation 

concerns throughout the application life 
cycle, they do not bear the burden 
alone, said Fortify s Thornton. The work 
is done by development teams, but secu- 
rity professionals, who drove application 
security tool adoption in the first place, 



are not handled properly. If attackers 
can cause errors that the Web applica- 
tion does not handle, they can gain 
detailed system information, deny ser- 
vice, cause security mechanisms to fail 
or crash the server. 

Insecure storage: Web applications fre- 
guently use cryptographic functions to 
protect information and credentials. 
These functions and the code to integrate 
them have proven difficult to code proper- 
ly, freguently resulting in weak protection. 

Application denial of service: Attackers 
can consume Web application resources 
to a point where other legitimate users 
can no longer access or use the applica- 
tion. Attackers can also lock users out of 
their accounts or even cause the entire 
application to fail. 

Insecure configuration management: 

Strong server configuration is critical to 
a secure Web application. These servers 
include many configuration options that 
affect security and are not secure out of 
the box. 

Source: www.owasp.org 

are responsible for the final sign-off. 

"I have looked at your code, and it's 
fine. You are no longer accountable. I 
am," said Thornton, assuming the role of 
the security professional. "For me, as a 
developer, that is how I would want it." I 



VISUALIZE, DOCUMENT and 
CONTROL YOUR SOFTWARE 
PROJECT with 
ENTERPRISE ARCHITECT 

From Concept to Solution - EA delivers team 
based UML® 2 modeling at an attractive price 

Model with all 13 UML 2 Diagrams 
Visualize using Industry-Standard Notation and Profiles 
Collaborate Across All Roles in the Development Team 
Integrate with Microsoft 8 Visual Studio 8 and Eclipse 8 
Support from 250+ Sparx VAR and Trainer Partners Globally 



fg\ ENTERPRISE 
\& ARCHITECT 



:h Modeling Tool 




Kfi 




ENTERPRISE 
ARCHITECT 



SYSTEMS 



Download Your Free 30 Day Trial of Enterprise Architect at: 

www.sparxsystems.com 



When We Say Millions, 

We Mean Users. 

Business intelligence and 
Reporting for Unlimited Users 

Why Glwe Access to a Few WJian 
|™r Leas ton Can Give A«*« l« AH 

Pvzelr Web-baned, truly Unified 

LogiXML 



*• -4 



_ \ i 



THE SMALLEST 

SECURITY DEFECT 

COULD BE THE START OF A 




BIG PROBLEM 

Find Security Defects with QAInspect 

QAInspect is a unique product that gives QA professionals the ability to incorporate automated 
Web application and Web services security testing into your test management process quickly 
and easily without impacting schedules or requiring security expertise. 

• Extends existing functional tests with comprehensive security testing 

• Includes testing and reports for more than 20 major laws, regulations and 
best practices 

• Reports and prioritizes security defects alongside functional defects 

• Seamlessly integrates with IBM Rational Software Development Platform 
(ClearQuest and Functional Tester) 



FREE Trial Offer: Download a FREE trial and learn 
how QAInspect simplifies security for QA 
Professionals at www.spidynamics.com/QA. 

Toil-Free: 1.866.774.2700 

QAInspect is a trademark of SPI Dynamics. 



Ready for 






software 



SPI DYNAMICS 



Start Secure. Stay Secure. 



TM 



26 



OPINION 



Software Development Times . August 15, 2006 . 



www.sdtimes.com 



EDITORIALS 

Mercury s Uncertain Fate 

Hewlett-Packard's purchase of Mercury Interactive may make good 
financial sense, and certainly helps HP better position its Open- 
View IT management business to compete against CA's UniCenter and 
IBM's Tivoli. However, given HP's size and focus on general IT, it does 
not bode well for software development and test/QA managers who rely 
upon Mercury's tools. 

Mercury is a powerhouse in software performance management and 
testing. In the 2005 Testers Choice awards, a reader poll conducted by 
SD Times' sibling publication, Software Test & Performance, Mercury 
swept seven out of 14 categories with LoadRunner, TestDirector for 
Quality Center and QuickTest Professional. 

When one company dominates software testing and performance 
management as thoroughly as Mercury, the prospect that the company 
will be subsumed into a behemoth with a US$2.85 billion market cap and 
$986 million in annual revenue is daunting — and frightening. 

The most comparable acquisition in our space, that of Rational by 
IBM in early 2003, differed in that IBM was already a major player in 
software development. By contrast, while HP has a stellar reputation in 
IT management with OpenView, it's only peripherally been involved in 
software development and testing — and its previous experiences were 
lackluster at best. 

The Mercury deal is also much bigger than the Rational purchase: HP 
is paying $4.5 billion, nearly twice what IBM shelled out. The ripple effect 
that this purchase will have on the test market will likewise be huge. 

Consider: Many Mercury test/QA customers may not want to become 
HP customers, especially if they don't use HP hardware, or if they 
prefer competing management platforms like Tivoli or UniCenter or 
Microsoft Operations Manager. Expect other test/performance compa- 
nies to launch aggressive moves to migrate Mercury customers. While 
the lion's share might end up with the other giant, IBM Rational, there's 
a lot of room for players like Compuware, Empirix, Parasoft, Quest or 
Borland to pick up market share. 

Also, the long-term fate of the Mercury test/performance products is 
unknown. Will HP aggressively invest in this new line of business? Will 
they sell the products off? Or will they be neglected and slowly die, just 
like Bluestone Software's middleware did after being purchased by HP 
in late 2000? This speculation may fuel additional acquisitions and 
investment in the test/performance space, as well as uncertainty. 

Fuzz Testing: The Next Trick? 

The Month of Browser Bugs, conducted by the Metasploit Project, 
was an interesting stunt. For the month of July 2006, H.D. Moore 
threw random data at popular Web browsers, and unearthed 27 security 
flaws, 23 of which were in Microsoft's Internet Explorer. 

What does this say about Microsoft's software? Certainly many (but 
not all) of the high-profile security flaws lately have been found in Win- 
dows, Internet Explorer and Office. Because of their sheer market dom- 
inance, those products have long been targeted by worm and virus writ- 
ers, as well as other black hats. 

But fuzz testing, a respected but rarely discussed testing methodolo- 
gy, doesn't care about market dominance; it merely looks to see how well 
a piece of code handles random and malformed input. By that test, 
Microsoft did much worse than its competitors. 

Was this a fair test? Yes. We don't have all the details about the MoBB 
project, but fuzzing is a valid way of testing security. After all, it's a tech- 
nique that black hats can use as much as white hats. If you're vulnerable, 
you're vulnerable. And Microsoft software is vulnerable. 

From the MoBB project, we can draw two conclusions. First, that 
more enterprise developers and ISVs should use fuzzing to test their own 
software. And second, that Microsoft still has plenty of room for 
improvement. I 



Forget Time-to-Market: 
It's All About Time-to-Money 



The popular business school metric 
time-to-market (TTM) is of little value 
to software development projects. And, 
even worse, it consistently offers incen- 
tives for counterproductive economic 
behavior. The problem is that time-to- 
market measures the ability of 
an organization to get a new 
product out the door whether 
or not that product will be suc- 
cessful in the marketplace. 

A better way to measure 
performance would be to 
focus product efforts on time- 
to-money (TT$), defined as 
the time it takes to deliver a 
product into the marketplace 
and achieve sustainable posi- 
tive economic returns to its maker. 

We've all participated in meetings 
where delivering a software product to 
meet a time-to-market goal was the met- 
ric tied to bonuses. Software developers 
know that any software train can arrive 
on time, if you don't care how many cars 
it has and if what were supposed to be 
Pullman sleepers turn out to be boxcars 
with faulty air brakes. 

Users are smart. They keenly feel 
disappointment when software doesn't 
do what marketers promised, or behaves 
in unexpected and even dangerous ways. 
They tell their friends and clients. The 
sales pipeline dries up. And increasingly, 
wronged customers share their woes 
with product liability lawyers. 

BILLIONS IN WASTE 

Based on reports from the National 
Institute of Standards and Technology 
(NIST) and the Sustainable Computing 
Consortium, the total cost of software 
defects will reach an estimated US$300 
billion this year. This compares with an 
overall software investment of around 
$600 billion. So, half of every dollar 
spent on software goes down the tubes as 
cost- of- defects. 

But what if software development 
teams had to meet a different goal: time- 
to-money? Consider how the incentive 
structure would change if software 
teams were chartered to reduce the time 
between when product development 
begins and when products start to gen- 
erate positive cash flow? 

Products designed to shorten time-to- 
money would arrive to market with clear- 
ly differentiated features and benefits. 
They would delight customers and 
impress influencers. The product makers 
would face lower field support and return 
costs, and software suppliers would avoid 
the embarrassing, negative impact of 
poor quality on reputation and brand. 

There's no doubt that a TT$ incentive 
structure would change software develop- 




ment practices. The current road to qual- 
ity involves tedious, labor-intensive testing 
that has become synonymous with delay 
and expense. This is largely because soft- 
ware quality assurance is a back-ended 
process that involves torture-testing 
already-written code by trying 
it out in a variety of use cases 
until time runs out, and the 
product finally must ship. 

Use cases range from the 
basic — "If I do what I'm sup- 
posed to, do I get expected 
results?" — to the exotic — 
"What happens to my applica- 
tion if I expose it to excessive 
cosmic rays?" (The author 
speaks from personal experi- 
ence when it comes to cosmic ray test- 
ing.) In any event, the testers can't think 
of everything even if they had the time, 
and when it's all over, customers are 
expected to play their traditional role in 
completing the QA process. 

A BETTER WAY 

Now if this were the process used in auto- 
motive or structural design, we'd have a 
lot more highway fatalities and structures 
collapsing. But these engineering disci- 
plines have analytical tools that help them 
identify integrity issues before a car rolls 
onto the test track or a crew starts bull- 
dozing for foundations. Electronic design 
automation for semiconductors provides 
an instructive example of how industrial- 
strength tools enable virtual design across 
teams with hundreds of developers plac- 
ing and routing hundreds of millions of 
transistors onto substrates the size of a 
thumbnail. And these immensely com- 
plex products generally successfully 
announce "hello world" when first con- 
nected to power and signal sources. 

These effective tools exist because of 
the economics associated with post-ship- 
ment quality issues for semiconductors. 
Time-to-money is severely impacted by 
defects, and since profitability is front- 
ended, delayed ramp to volume (caused 
by defective parts) can erase profit mar- 
gins. Ironically, all of the heavy-duty 
engineering tools available to mechani- 
cal, electrical and structural engineers 
are written in software. Conversely, soft- 
ware developers are the cobbler's chil- 
dren who have no shoes. 

But, can we really afford the cost of 
post-shipment software defects any 
longer? With today's applications num- 
bering in the hundreds of thousands or 
millions of lines of code (and doubling 
every three years), and with defect den- 
sities ranging from one to 50 defects per 
1,000 lines of code, we are sitting on a 
time bomb that ticks at a gigahertz pace. 
So, after 45 years of Moore's Law, if 



www.sdtimes.com 



I Software Development Times . August 15, 2006 



OPINION 



27 



CPU cycles are all but free, where are 
the engineering tools to help developers 
create better software? 

TOOLS TO USE 

2004 and 2005 marked the first years of 
more widespread adoption of software 
structural analysis tools. Although light 
on engineering, these tools at least deal 
with basic hygiene issues, and can pro- 
vide some level of assurance that coders 
aren't taking too many liberties and/or 
haven't succumbed to the management- 
prescribed "do more with less, but 
worse" practice that has characterized 
the post dot-com era. 

But, these structural analysis tools 
alone won't guarantee software integrity. 
The industry needs analytical, engineer- 
ing tools rooted in science and math (as 
opposed to process) that take advantage 
of plentiful, unused CPU cycles to assess 
software integrity across the develop- 
ment life cycle to deliver a continuous 
readiness assessment. Only a new gener- 
ation of engineering tools can give 
development teams a fighting chance to 
deliver quality products. Software quali- 
ty and time-to-money cannot improve 
significantly without them. 

Time-to-money matters. In fact in 
most business, it's the leading indicator 
for success or failure. Borrowing what 
works from other advanced engineering 
disciplines would serve the software 
industry well. Beyond the technology, it 
has the potential to make each one of 
our daily lives better with respect to 
wealth, health and happiness. What's not 
to like? I 

Susan Kunz is president and co-founder 
of Solidware Technologies; before that, 
she worked at Sun Microsystems. 



The Next Big Thing 



The usual wisdom about program- 
ming-language lifetimes is that lan- 
guages becomes obsolete just as they 
become mature enough to be standard- 
ized. Though Java has been standardized 
from day one, at 10 years old, it's starting 
to seem a little tired. 

What's the next big thing, then? Cer- 
tainly not C#, which is little more than a 
Microsoft-Certified Java with 
.NET libraries. And not script- 
ing systems (I'm reluctant to 
call them languages) like PHP 
and Ruby, which are too Wild 
West to be trustworthy. No 
language that moves compile- 
time bugs into runtime is 
worth your time if you consid- 
er reliability to be important; I 
don't care how fast its adher- 
ents allege you can throw 
together a program. You don't measure 
productivity improvements solely by look- 
ing at a reduction in the lines-of-code- 
written-per-day numbers, even if these 
statistics are trustworthy. 

While looking around the Web to see if 
something interesting is on the horizon, I 
stumbled across the Scala programming 
language (scala.epflch), developed at the 
Ecole Polytechnique Federale de Lau- 
sanne (EPFL) in Lausanne, Switzerland. 
A good overview of the language is at scala 
.epfl.ch/docu/files/ScalaOverviewpdf. 

To quote the EPFL Web site: "Scala is 
a modern multi-paradigm programming 
language designed to express common 
programming patterns in a concise, ele- 
gant and type-safe way. It smoothly inte- 
grates features of object-oriented and 
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Do You Get the Most 

From Your Enterprise Apps? 

An Aberdeen Group study published in May found that workers are losing a significant 
amount of productivity due to improper or absent integration between enterprise appli- 
cations, which it deems essential to maximum efficiency. 

The benchmark report, titled "Achieving More Value From Enterprise Applications," 
estimates that companies stand to save a combined US$143 billion in 2006 if they were to 
adopt best-in-class software maintenance and cost-efficiency practices, such as proper 
application selection and integration through SOA enablement. 

For the study, Aberdeen Group polled a varied range of executives and IT staff from a 
mixture of large, midsize and small companies, mainly in the U.S. and Europe. 
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functional languages including mixins, 
algebraic datatypes with pattern match- 
ing, genericity and more [including oper- 
ator overloading]. It is well integrated 
with Java and .NET: the Scala compiler 
produces standard Java class files or .NET 
assemblies, and Java/. NET libraries and 
frameworks can be used without glue 
code or additional declarations." It is a 
mature language, now at ver- 
sion 2.1.7. 

The last bit of the earlier 
quote is particularly important. 
You can literally intermingle 
Java classes with Scala code 
without any work whatever. 
You can even do things like 
implement Java interfaces with 
[/*Tjt-Jj\ Scala classes. This ability to 
, #' j i*. .'X integrate with existing libraries 
JJ - JJ - J - J ^ (which the Scala architects see 
as "components") is essential to any lan- 
guage that attempts to preempt Java. 

The main strength of Java is its 
libraries, not the language itself. It's rela- 
tively easy to throw together a compiler, at 
least when you compare this effort with 
what's required to build the libraries that 
actually make the language useful. 

In spite of all this wonderfulness (to 
quote Bill Cosby), I don't think Scala is a 
real candidate for the next big thing. 

First, Scala has a hard-to-understand 
syntax, for a C++, C# or Java program- 
mer. Java was largely successful because 
it was an easier-to-understand variant on 
a widely used language (C++). Scala's 
syntax is elegant from an academic per- 
spective, but it's just too different from 
languages people already know to be 
widely accepted. 

A more important question is whether 
another large general-purpose language is 
even a good idea. The more I program, 
the more fault I find in the accepted wis- 
dom that it's good to build large systems in 
recursive layers that encapsulate the com- 
plexity of the underlying layer. 

One way to look at Moore's Law is that 
every 18 months, we make machines fast 
enough to compensate for the inefficien- 
cies we've added in the past 18 months. 

The JVM provides a platform that lets 
you splice disparate languages and 
libraries together into a functional whole. 
That is, you can create a bunch of small 
tightly focused languages that do one 
thing (like build a UI) really well, and 
then create a system by melding together 
parts created in separate languages. This 
is nothing but Unix's hoary "small lan- 
guage" approach to programming, and it 
seems to work well in many applications. 

Perhaps, then, the next big thing will 
actually be a lot of little things, working 
together to do a big job. ■ 

Allen Holub is an architect, consultant 
and instructor in C/C++, Java and OO 
Design. Reach him at www.holub.com. 
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Java EE Arrives. Then, the Big Yawn 



For years, I have been carrying on 
about the complexity of writing Java 
enterprise apps. My complaints fall into 
two broad categories: the pain of using 
Java as an application language, and the 
difficulty of mastering the constituent 
technologies of J2EE, the former enter- 
prise Java framework. 

There is a third aspect of complexity 
that I won't go on about, but which must 
be faced by most developers: the plethora 
of add-on technologies and Java frame- 
works (XML, Web services, JSPs, Struts, 
JavaServer Faces, Spring, Beehive, 
Hibernate and so on.) You don't need 
them all, but you do need to know some 
subset to write enterprise Java apps. 

Returning to the language and the 
J2EE platform, we finally got substantial 
relief this year in the Java EE release. It 
definitely reduces the complexity of 
enterprise apps by simplifying the use of 
EJBs and providing more straightforward 
persistence mechanisms. It also makes 
extensive use of annotations (which are a 
set of concise statements that specify the 
role played by chunks of code. Annota- 
tions were first introduced into the Java 
language in the Java 5 release.) 

With all this goodness delivered after a 
prolonged and vocal demand for reduced 
complexity, you would think the commu- 



nity would be jumping for joy and cele- 
brating this new release, right? Nothing 
doing. At the JavaOne developer love-in 
this year, Java EE was covered but not fet- 
ed. And, to put it mildly, this year's show 
was one that cried out for some kind of 
announcement to focus on. It could have 
been the "Java EE show," but even Sun, it 
appeared, was yawning at the 
new release. 

What gives? Richard Mon- 
son-Haefel, now an analyst for 
Burton Group but previously a 
member of the JCP expert 
group for EJB 2.1 and 3.0 and 
a co-founder of the Apache 
Geronimo project, writes that 
the new version "has failed to 
make Java EE less complicat- 
ed. JEE 5's failure to address 
complexity is a harbinger of the Java EE 
platforms' fall from dominance in the 
enterprise development platform arena. 
Organizations should look elsewhere 
when considering new enterprise devel- 
opment and should plan for the eventual 
sunset of Java EE as an enterprise solu- 
tion." Strong words, and not altogether 
correct, in my view. 

First of all, I should note that this 
report came out at the same time as the 
most recent edition of Monson-Haefel's 
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own book on EJBs, the excellent "Enter- 
prise JavaBeans 3.0" from O'Reilly and 
Associates, co-authored with Bill Burke. 
(To be fair, Burke did most of the work — 
essentially updating Monson-Haefel's 
earlier edition to cover EJB 3.0.) In it, 
Monson-Haefel touts the benefits of the 
new standard "that greatly simplifies the 
EJB programming model." In 
his report for Burton Group, 
however, he contends that 
Microsoft .NET (especially), 
open-source Java frameworks 
and Ruby on Rails are the 
new models that will eventu- 
ally squeeze out Java EE. 

His view is shared by many 
others, especially those who 
have already embraced those 
solutions. But I don't believe 
it. Microsoft .NET is certainly a chal- 
lenger to enterprise Java. However, it has 
yet to make the deep penetration into 
large-scale enterprise situations, although 
it is moving in that direction. Its benefits 
(one company, one set of integrated solu- 
tions) are offset by Microsoft's long track 
record as an unreliable partner for enter- 
prises. (Consider the forced technology 
transitions, the poor track record of prod- 
uct delivery, and the ongoing inability to 
create host operating systems that don't 



require regular reboots. Only once these 
aspects are solved will Microsoft have 
enterprise creds.) 

The open-source frameworks are a 
different story. They do simplify many 
tasks, but they lack the complete set of 
enterprise features. They surely make 
sense in the SMB space and in enterpris- 
es with modest needs. However, for them 
to take over larger computing centers 
from Java EE, they will need to add many 
new features and services — resulting in a 
corresponding increase in complexity. 

Ruby on Rails (RoR) has truly inge- 
nious design decisions that make rapid 
development of large projects possible. 
However, it is not currently capable of 
enterprise-scale workloads. The primary 
reason for this is performance. It is far 
slower than Java, and lacks testing in high- 
volume contexts. Finally, it's not clear that 
RoR provides all the necessary services in 
an integrated, enterprise-scale package. 
Adding these services will add complexity. 
How RoR handles this challenge will 
determine its role and its longevity, but for 
now, it's not a competitor to Java EE. 

I think Java EE has legs. It drives many 
of today's largest sites and will continue to 
do so for a long time. Plus, it's not standing 
still. Refinements and simplifications will 
continue to be made, leading to a deploy- 
ment life far longer than naysayers expect. I 

Andrew Binstock is the principal analyst 
at Pacific Data Works. 



The Art & Science of Software Testing 

A Special Supplement to SD Times 

"The Art & Science of Software Testing" will highlight the leading tools and solutions for 
software testing and quality assurance, including: 

• Application Life-Cycle Management 

• Build Management 

• Change/Configuration Management 

• Debuggers 

• Defect Trackers 

• Embedded & Mobile Test Solutions 

• Performance Management/Optimization 

• Requirements Management 




• Security Analysis Tools 

• Security Testing Suites 

• Test Automation 

• Testing Services 

• Vulnerability Testing Tools 

• Web Load Testing 

• Web Security Testing 

• Web Services/SOA Testing 



"The Art & Science of Software Testing" is brought to you by BZ Media, 
publisher of SD Times, the industry's most trusted source of software 
development news and analysis. 

Look for it with the October 1 issue! 
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New Looks at Books 



Physical books will always be impor- 
tant to a professional programmer. 

Everything from the resolution (no 
one clamors for more than 15 diagonal 
inches in a book!) to the tactile aesthet- 
ics of high-grade paper, as well as the 
superb portability and relative rugged- 
ness, weighs in on the value of print. On 
the other hand, books are heavy and 
they take up shelf space. 

What's more, it's difficult to spend $65 
to access five pages on some API that 
you'll likely never use again, especially 
when you don't have the shelf space to 
keep the book on the off chance that it 
contains some other five pages that would 
apply in some other project down the line. 

For those situations, online reference 
libraries like Safari and Books24x7 
promise a solution. Both allow you to 
access a large library of works from a 
number of different publishers, read 
them online, and download a specific 
chapter for individual use. In both, 
browser-based reading is done in a single 
HTML-based column with a tree control 
on the left allowing access to other chap- 
ters, index and so forth. Both have tools 
for annotations and bookmarks. Safari is 
in the process of rolling out interface 
upgrades that significantly increase the 
amount of text returned per HTML page 



(a noticeable improvement) and that 
allow delivery of "graphically rich" books 
like the "Head Start" series (a less suc- 
cessful experiment involving bitmapped 
images of the pages). A seemingly similar 
service is the utterly unworthy Amazon 
digital library, which gives you online 
access to a digital version of a book you've 
bought in print. The digital 
version is a bitmapped scan of 
the page, complete with back- 
ground noise, and it's unthink- 
able to imagine paying for the 
privilege of reading a complete 
chapter, much less a complete 
book, in such a way. 

I compared the two ser- 
vices in two areas in which 
many books have been pub- 
lished over the years: artificial 
intelligence and C + + . 

In AI, the results were unequivo- 
cal: Safari's eight selections included 
several that weren't really Al-related 
("Voice Application Development With 
VoiceXML"), and the three books with 
"AI" in the title were all for game pro- 
gramming. Books24x7, in contrast, 
returned 31 results, including works 
from the presses of MIT, Cambridge 
University and Morgan Kaufmann. 
Books24x7's relationship with academic 
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publishers seems to give the service bet- 
ter depth than Safari, and not just in eso- 
teric subjects — the immensely pragmat- 
ic Scott Ambler, for instance, publishes 
with Cambridge University Press. 

In C + + , the results were more 
ambiguous. Both had similar quantities 
(65 books in Safari, 88 in Books24x7). 
Safari emphasized titles by 
O'Reilly (naturally) and Addi- 
son-Wesley, while Books24x7 
had a significantly broader 
array of publishers, with per- 
haps an emphasis on Wiley, 
APress and McGraw-Hill/ 
Osborne. Titles from Course 
Technology, Microsoft, Pre- 
mier, Press, Que and Sams 
were found on both. Despite 
Books24x7's slight numerical 
edge, the Addison-Wesley Professional 
imprimatur is the best for C++, so I give 
the nod to Safari on that account. 

However, neither service provides any 
of Bjarne Stroustrup's books! This is a 
telling shortcoming, which is that these 
services are not true reference libraries, 
but simply catalogs of books that pass 
some gamut of licensing and binary avail- 
ability. This is obvious when "The C+ + 
Programming Language" is not available, 
but is also true in the AI returns, where 



the high quality of some Books24x7 
returns (including "the" book on support 
vector machines) might disguise the 
holes in other areas (say, evolutionary 
computation). In this way, these online 
services remind me less of a library and 
more of a used-book store: You might 
find a gem, but because you can't rely on 
finding even a pretty good book on a giv- 
en subject, it's hard to rely on them as the 
front line of your reference library. 

Safari starts at US$10 per month for 
access to five books per month. Access to 
a book is limited until you "put it on your 
bookshelf," and thus bite into your 
monthly allocation. In my experience, a 
"5-slot" bookshelf is just too limiting: a 10- 
slot bookshelf with the ability to download 
five PDF chapters per month is $20. 

Books24x7 requires a bigger commit- 
ment: Access to the "ITPro" collection 
costs US$495 per individual per year. 
Corporate licenses are available, and 
Books24x7 seems to emphasize the cor- 
porate channel: In addition to the high 
immediate cost, it has the ability to 
assemble "corporate libraries" of titles, 
etc. These prices would be one thing if 
the services had comprehensive cover- 
age. To me, these services are priced a 
shade too high. I guess I'll have to buy 
more shelves for the garage. I 

Larry O'Brien is a technology consul- 
tant, analyst and writer. Read his hlog at 
www. knowing, net. 
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Contact dtSearch for 
fully-functional evaluations 

The Smart Choice for Text Retrieval® since 1991 



♦ over two dozen indexed, unindexed, 
fielded data and full-text search 
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♦ highlights hits in HTML, XML and PDF, 
while dis playing links , formatting and 

♦ converts other file types (word 
processor, database, spreadsheet, email 
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HTML for display with highlighted hits 
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Web content, with WYSWYG 
hit-highlighting 
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Spider API 

dtSearch® Reviews 
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terabyte of text in a single index and 
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- InfoWorld 
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Document Imaging Takes to the Air. 

Using Atalasoft Imaging Toolkits your business can create applications that save 
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Microsoft .NET Framework, offering developers Photographic and Document 
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A 12-Step Program 



Industry Watch 



The debate over what to do with sub- 
stance abusers rages on. Throw 'em 
all in jail, many argue, to keep our 
streets safe from the crimes they commit 
to support their addiction. Rehabilitate 
them, others argue, so their behavior 
will change and they no longer will be a 
menace to society. 

So, what to do with Microsoft, the 
Robert Downey Jr. of the 
technology industry? 

The company has been 
fined millions of dollars and 
paid out multimillions more 
to settle lawsuits based on 
what several courts have 
called the company's monopo- 
listic business practices. 
Those were the crimes 
Microsoft committed to 
acquire more substance — in 
this case, deals to lock others out of the 
browser, operating system and office 
productivity software markets so 
Microsoft could achieve dominance 
there and rake in billions of dollars in 
revenues. This company has a serious 
cash jones. 

But suddenly, on the heels of the lat- 
est European Union action to fine 
Microsoft for failing to correct its busi- 
ness practices, the company declared it 
wants to be rehabilitated. It even went 
so far as to spell out the 12-step program 
it will undergo to become a better cor- 
porate citizen and no longer be a men- 
ace to competing software companies 
everywhere. 

In a story that one would have 
thought would have been more widely 
covered if for nothing more than sheer 
entertainment value — and because the 
announcement was made at the 
National Press Club in Washington, 
D.C. — Microsoft general counsel Brad 
Smith laid out 12 voluntary tenets that 
he said the company will follow from 
here on in regarding the development 




of the Windows desktop platform. (See 
them at www.microsoft.com/presspass 
/newsroom/winxp/windowsprinciples . mspx) 
Believable? You decide. To me, it has 
the credibility of Downey Jr. himself, 
after leaving rehab for the umpteenth 
time, declaring that this time he has 
seen the error of his ways and from here 
on out will be clean and sober. 

But you've got to hand it 
to Microsoft. At least Smith 
put those principles out 
there, even if they're met 
with heaping piles of skepti- 
cism bordering on mockery. 
After all, Downey went into 
rehab pretty much after each 
of his arrests, and the jury's 
still out — pardon the expres- 
sion — on whether or not he's 
a changed man. 
seeing the light, the first 
commandment under which Microsoft 
operated was "Thou Shalt Have No 
Other Operating Systems Before Me." 
Now, Smith said the five tenets 
beneath the first principle, "Choice for 
Computer Manufacturers and Cus- 
tomers," call for the company to make 
it easier to install non-Microsoft pro- 
grams instead of or in addition to Win- 
dows features, such as Windows Media 
Player and Internet Explorer. "Ulti- 
mately," and I quote the explanation 
given on the Microsoft Web site, "end 
users are free to choose which software 
they prefer to use." 

How wonderfully generous of them! 
John Lennon, were he still alive, would 
be so moved as to write a song about this 
revelation... "Imagine there's no lock-in. 
It isn't hard to do. . ." 

Under the second principle, called 
"Opportunities for Developers," Micro- 
soft says it won't block access to any 
lawful Web site or impose a fee for 
reaching a non- Microsoft Web site or 
Web service. It will provide APIs that 



let competing products plug into Win- 
dows as easily (or poorly, some might 
say) as Microsoft's own. It will separate 
out Windows Live, the Internet ser- 
vices piece, from Windows. Last, it lets 
developers know they are free to devel- 
op products that compete with any part 
of Windows, without any retaliation 
from Microsoft. 

Under the final heading of "Interop- 
erability for Users," we are left with the 
knowledge that Microsoft will support a 
range of industry standards in Windows, 
license its patents under fair and rea- 
sonable terms, and make available "on 
commercially reasonable terms" all the 
communications protocols it has built 
into Windows. 

It seems to me an earlier set of 
guiding principles — written thousands 
of years ago — spelled out many of 
these same behaviors: Get along with 
others, don't covet your neighbor's 
software inventions, don't kill off com- 
peting companies. 

Maybe Microsoft's executives have 
seen the light. Maybe they realize that 
as Linux and open source finally grow 
into viable alternatives, an all-or-noth- 
ing strategy would be a losing one in 
the long term. Maybe Bill Gates' 
humanitarian streak has begun to trick- 
le down through the company. 

And maybe, like a common drunk 
who's temporarily back on the wagon, it's 
putting on a brave face and stout 
demeanor to prove it can change. I can 
think of nothing that would benefit our 
industry more than Microsoft making its 
platform truly interoperable with other 
systems and software. 

But I'm not convinced. That cash 
jones can be a powerful thing. Let's see 
how the company behaves when all this 
sharing and good-neighbor stuff results 
in declining revenues, and the Redmond 
bigs find themselves forced to go cold 
turkey on money. Will that drive them 
back to the drink? It's a slippery slope. I 

David Rubinstein is editor-in-chief of 
SD Times. 



Enterprise Java company Terracotta has named Amit Pandey CEO to help grow out 
the company's clustered JVM technology. Before joining Terracotta, Pandey held VP 
positions at Network Appliance. Terracotta founder and CTO Ari Zilka wants Pandey 
to continue driving Terracotta into the financial services, retail, telco and Internet 
services markets, where the technology is experiencing an uptake, according to the 
company. "Terracotta is drop-in technology that is easy to deploy and makes all 
Java applications enterprise-class," Pandey said. "Our technology has industry- 
shifting ramifications because it requires no coding. We make open-source software 
enterprise-ready, so it's a viable alternative to many commercial solutions." Terra- 
cotta's ability to bring caching and clustering into the Java runtime environment 
adds fault tolerance, scalability and high availability to any Java application, the 
company said. 

EARNINGS: Microsoft announced record fourth-quarter revenue of 
US$11.8 billion, a 16 percent increase over the same year-ago quarter. Net 
income for the quarter ended June 30 was $2.83 billion, or 28 cents per 



share, down from the same period a year earlier when the company posted 
net income of $3.70 billion and EPS of 34 cents. For the fiscal year, Microsoft 
had revenue of $44.28 billion, up 11 percent from the previous year. Net 
income for the year was $12.60 billion. The company also announced a share 
repurchase program of $20 billion to be completed by Aug. 17, and authorized 
an additional $20 billion buyback with an expiration date of June 30, 2011 
. . . Compuware reported fiscal 2007 first-quarter revenue of US$296.3 mil- 
lion and net income of $29.3 million, up from net income of $24.6 million in 
the same quarter of fiscal 2006. Professional services accounted for $118.5 
million in revenue, while maintenance fees were $110.3 million and software 
license fees were $67.5 million . . . Informatica reported revenue of 
US$80.8 million, up 26 percent from the year-earlier quarter, and net income 
of $7.6 million for its fiscal 2006 second quarter . . . Performance manage- 
ment solutions provider Applix reported fiscal second-quarter 2006 revenue 
of US$13.32 million, a 41 percent increase over the $9.43 million posted in the 
same year-ago quarter. I 



CALENDAR OF EVENTS 



EclipseWorld 2006 

Boston 
BZ MEDIA 

www.eclipseworld.net 



Sept. 6-8 



VSLive Sept. 10-13 

New York City 

FAWCETTE TECHNICAL PUBLICATIONS 

www.ftponline.com/conferences/vslive/2006/newyork 



SD Best Practices 
Conference 

Boston 
CMP MEDIA 

www.sdexpo.com/2006/sdbp 



Sept. 11-14 



Sept. 18 



High Performance 
on Wall Street 

New York City 

LIGHTHOUSE PARTNERS & FLAGG MANAGEMENT 

www.highperformanceonwallstreet.com 

Application Sept. 25-27 

Development Summit 

Phoenix 
GARTNER 

www.gartner.com/2_events/conferences/ad8.jsp 



Embedded Systems 
Conference Boston 

Boston 
CMP MEDIA 

www.embedded.com/esc/boston 



Sept. 25-28 



Intel Developer Forum 

San Francisco 
INTEL 

www.intel.com/idf 



Sept. 26-28 



Open Source Summit Sept. 27-29 

Phoenix 
GARTNER 

www.gartner.com/2_events/conferences/os2.jsp 

Symposium/ITxpo Oct. 8-13 

Orlando, Fla. 
GARTNER 

www.gartner.com/it/sym/2006_/sym16/sym16_home.jsp 

Mercury World Oct. 8-11 

Las Vegas 

MERCURY INTERACTIVE 

www.mercuryevents.net/mercuryworld/home.cfm 

STAR West 

Anaheim 

SOFTWARE QUALITY ENGINEERING 

www.sqe.com/starwest 

SoftSummit 

Santa Clara 
MACR0VISI0N 

www.softsummit.com 



Development Products 
Conference 

San Jose 

EVANS DATA 

www.evansdata.com/dpc 



Oct. 16-20 



Oct. 17-18 



Oct. 19-20 



Oracle OpenWorld 


Oct. 22-26 


San Francisco 




ORACLE 




www.oracle.com/openworld 




00PSLA 


Oct. 22-26 


Portland, Ore. 




ACM SIGPLAN 




www.oopsla.org/2006 





Software Test & Nov. 7-9 

Performance Conference 

Boston 

BZ MEDIA 

www.stpcon.com 

For a more complete calendar of U.S. software 
development events, see www.bzmedia.com/calendar. 
Information is subject to change. Send news about 
upcoming events to events@bzmedia.com. 
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simplify your deployment 



Automated Build Studio is the perfect 
tool for building and releasing our 
software and it makes my working day 
so much easier. 

Bart Roozendaal 
SEVENSTEPS 
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I VISUAL MACRO CREATION 

Just drag and drop operations 
and set parameters 



I POPULAR TOOLS SUPPORT 

Built-in support for more 
than 400 build and deploy 
operations 



I SIMPLIFY BUILD PROCESSES 

Eliminate manual operations 
and complicated scripts 



I REMOTE WEB INTERFACE 

Launch and monitor builds 
securely from any web 
browser 




I VISUAL STUDIO INTEGRATION 

Run stand-alone or integrated 
with Microsoft Visual Studio 



IONLINE ALERTS 

Notify developers, testers 
and managers with 
instant messaging, email, 
text/sms 



I CUSTOM OPERATIONS 

Easily create new operations 
with the comprehensive SDK 



Automated Build Studio is a release management system that provides an easy and 
visual way to automate the software development build and deployment process. 
Create visual macros with drag and drop pre-built operations. More than 400 built-in 
operations are included for most popular tools. 



$349.99 

Named user license 

Concurrent & site licenses available 

• 60 Day Money Back Guarantee 

• Unlimited Online Support 

• Free Evaluation 




DOWNLOAD A FREE TRIAL 
www.automatedqa.com/abs/sdoffer/ 



AutomatedQA 

test, debug, deliver! 
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_IHfRASlRUCTUR£ LOG 

JHY 15: This project is out af control, The development 
team '5 trying to write apps supporting a service 
oriented architecture. . .but it's taking F0REVER1 

JAY 1G: Gil has resorted to giving: t^e teem coffee IVs. 
Now they're on jwa while using MVA. Oh. the irony. 

_MV U; T've foufKl P tetter- «ry; IBM Rrtionol, It's P 
modular software development platform based on Eclipse 
that helps the teem model, assartilep deploy and rtnriKjE 
SOA prpjertS, The whgle process i* simpler, foster 
and oil our opps are flexible and reusable r 'J 

_The team says it's nice to tost* coffee egain, but 
drinking it is woo inefficient! 
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Download the IBM Software Architect Kit at: 
IBM.COM/TAKEBACKC0NTR0L/FLEXIBLE 
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